OpenWrt IKEv2 NAT traversal (or similar) problem

Yousong Zhou yszhou4tech at gmail.com
Tue May 30 18:09:26 PDT 2023 

On Wed, 31 May 2023 at 06:38, Peter Naulls <peter at chocky.org> wrote:
>
> On 5/30/23 18:16, Yousong Zhou wrote:
> > On Wednesday, 31 May 2023, Peter Naulls <peter at chocky.org> wrote:
> >>
> >>
> ]
> >
> > I am afraid the above is still single direction traffic.
>
> Sorry, quite so.  I finished this email in the middle of something else.  There
> is return traffic:
>
> To Google, which works.
>
> 16:57:11.936911 IP (tos 0x0, ttl 128, id 43279, offset 0, flags [none], proto
> UDP (17), length 29)
>      192.168.113.102.4500 > 89.187.170.130.4500: [udp sum ok] isakmp-nat-keep-alive
> 16:57:16.597085 IP (tos 0x0, ttl 255, id 43280, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x31b), length 100
> 16:57:16.597085 IP (tos 0x0, ttl 255, id 43281, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x31c), length 100
> 16:57:16.629104 IP (tos 0x0, ttl 128, id 43983, offset 0, flags [none], proto
> UDP (17), length 60)
>      192.168.113.102.63724 > 192.168.113.3.53: [udp sum ok] 56044+ AAAA?
> www.google.com. (32)
> 16:57:16.629104 IP (tos 0x0, ttl 128, id 43982, offset 0, flags [none], proto
> UDP (17), length 60)
>      192.168.113.102.54875 > 192.168.113.3.53: [udp sum ok] 4736+ A?
> www.google.com. (32)
> 16:57:16.630048 IP (tos 0x0, ttl 255, id 43282, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x31d), length 100
> 16:57:16.630050 IP (tos 0x0, ttl 255, id 43283, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x31e), length 100
> 16:57:16.634072 IP (tos 0x0, ttl 64, id 12085, offset 0, flags [DF], proto UDP
> (17), length 88)
>      192.168.113.3.53 > 192.168.113.102.63724: [bad udp cksum 0x6410 -> 0x70cf!]
> 56044 q: AAAA? www.google.com. 1/0/0 www.google.com. [1m52s] AAAA
> 2607:f8b0:4006:81d::2004 (60)
> 16:57:16.639834 IP (tos 0x0, ttl 64, id 12086, offset 0, flags [DF], proto UDP
> (17), length 76)
>      192.168.113.3.53 > 192.168.113.102.54875: [bad udp cksum 0x6404 -> 0x3314!]
> 4736 q: A? www.google.com. 1/0/0 www.google.com. [4m19s] A 142.251.32.100 (48)
> 16:57:16.654048 IP (tos 0x68, ttl 50, id 41090, offset 0, flags [none], proto
> UDP (17), length 224)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x26d), length 196
> 16:57:16.665933 IP (tos 0x68, ttl 50, id 41091, offset 0, flags [none], proto
> UDP (17), length 240)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x26e), length 212
> 16:57:16.668916 IP (tos 0x0, ttl 255, id 43284, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x31f), length 100
> 16:57:16.711776 IP (tos 0x68, ttl 50, id 41104, offset 0, flags [none], proto
> UDP (17), length 160)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x26f), length 132
>
> To another site, which doesn't:
>
>
> 17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x415), length 116
> 17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x416), length 116
> 17:02:12.374062 IP (tos 0x68, ttl 50, id 6571, offset 0, flags [none], proto UDP
> (17), length 208)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x33b), length 180
> 17:02:12.382227 IP (tos 0x0, ttl 255, id 43528, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x417), length 100
> 17:02:12.523997 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP
> (17), length 128)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x33c), length 100
> 17:02:12.525249 IP (tos 0x0, ttl 255, id 43529, offset 0, flags [none], proto
> UDP (17), length 112)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x418), length 84
> 17:02:12.538861 IP (tos 0x68, ttl 50, id 6599, offset 0, flags [none], proto UDP
> (17), length 208)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x33d), length 180
> 17:02:12.625718 IP (tos 0x0, ttl 255, id 43530, offset 0, flags [none], proto
> UDP (17), length 624)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x419), length 596
> 17:02:12.855180 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP
> (17), length 368)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x33e), length 340
> 17:02:12.856246 IP (tos 0x0, ttl 255, id 43531, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41a), length 100
> 17:02:16.063389 IP (tos 0x0, ttl 128, id 43532, offset 0, flags [none], proto
> UDP (17), length 29)
>      192.168.113.102.4500 > 89.187.170.130.4500: [udp sum ok] isakmp-nat-keep-alive
> 17:02:16.797712 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
> 192.168.113.3 (34:ba:9a:7b:65:82) tell 192.168.113.102, length 46
> 17:02:16.798006 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.113.3 is-at
> 34:ba:9a:7b:65:82, length 28
> 17:02:17.310347 IP (tos 0x0, ttl 255, id 43533, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41b), length 116
> 17:02:17.310880 IP (tos 0x0, ttl 255, id 43534, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41c), length 116
> 17:02:17.329423 IP (tos 0x0, ttl 128, id 43991, offset 0, flags [none], proto
> UDP (17), length 75)
>      192.168.113.102.55020 > 192.168.113.3.53: [udp sum ok] 40742+ AAAA?
> v10.events.data.microsoft.com. (47)
> 17:02:17.329423 IP (tos 0x0, ttl 128, id 43992, offset 0, flags [none], proto
> UDP (17), length 75)
>      192.168.113.102.60074 > 192.168.113.3.53: [udp sum ok] 35138+ A?
> v10.events.data.microsoft.com. (47)
> 17:02:17.329869 IP (tos 0x0, ttl 255, id 43536, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41e), length 116
> 17:02:17.329871 IP (tos 0x0, ttl 255, id 43535, offset 0, flags [none], proto
> UDP (17), length 144)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41d), length 116
> 17:02:17.358801 IP (tos 0x0, ttl 64, id 24779, offset 0, flags [DF], proto UDP
> (17), length 216)
>      192.168.113.3.53 > 192.168.113.102.60074: [bad udp cksum 0x6490 -> 0x2e51!]
> 35138 q: A? v10.events.data.microsoft.com. 3/0/0 v10.events.data.microsoft.com.
> [1m47s] CNAME win-global-)
> 17:02:17.370702 IP (tos 0x0, ttl 64, id 24780, offset 0, flags [DF], proto UDP
> (17), length 261)
>      192.168.113.3.53 > 192.168.113.102.55020: [bad udp cksum 0x64bd -> 0xcaa9!]
> 40742 q: AAAA? v10.events.data.microsoft.com. 2/1/0
> v10.events.data.microsoft.com. [1m47s] CNAME win-glob)


Is it that your dns traffic is not going through the tunnel?  curl
-vvv should reveal the IP address it tries to connect.  One
possibility is that maybe the resolv result does not work.

                yousong

> 17:02:17.377951 IP (tos 0x68, ttl 50, id 7602, offset 0, flags [none], proto UDP
> (17), length 288)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x33f), length 260
> 17:02:17.389917 IP (tos 0x68, ttl 50, id 7604, offset 0, flags [none], proto UDP
> (17), length 336)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x340), length 308
> 17:02:17.392532 IP (tos 0x0, ttl 255, id 43537, offset 0, flags [none], proto
> UDP (17), length 128)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x41f), length 100
> 17:02:17.416957 IP (tos 0x68, ttl 50, id 7611, offset 0, flags [none], proto UDP
> (17), length 288)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x341), length 260
> 17:02:17.429009 IP (tos 0x68, ttl 50, id 7612, offset 0, flags [none], proto UDP
> (17), length 336)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x342), length 308
> 17:02:17.487013 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP
> (17), length 128)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x343), length 100
> 17:02:17.488090 IP (tos 0x0, ttl 255, id 43538, offset 0, flags [none], proto
> UDP (17), length 112)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x420), length 84
> 17:02:17.489542 IP (tos 0x0, ttl 255, id 43539, offset 0, flags [none], proto
> UDP (17), length 320)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x421), length 292
> 17:02:17.660384 IP (tos 0x0, ttl 255, id 43540, offset 0, flags [none], proto
> UDP (17), length 112)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x422), length 84
> 17:02:17.797735 IP (tos 0x0, ttl 255, id 43541, offset 0, flags [none], proto
> UDP (17), length 320)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x423), length 292
> 17:02:17.901092 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP
> (17), length 128)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x344), length 100
> 17:02:19.893671 IP (tos 0x68, ttl 50, id 7925, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x345), length 628
> 17:02:19.938739 IP (tos 0x0, ttl 255, id 43542, offset 0, flags [none], proto
> UDP (17), length 112)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x424), length 84
> 17:02:20.019196 IP (tos 0x68, ttl 50, id 7932, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x346), length 628
> 17:02:20.019378 IP (tos 0x68, ttl 50, id 7933, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x347), length 628
> 17:02:20.019995 IP (tos 0x0, ttl 255, id 43543, offset 0, flags [none], proto
> UDP (17), length 112)
>      192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
> ESP(spi=0xc4a096e5,seq=0x425), length 84
> 17:02:20.111272 IP (tos 0x68, ttl 50, id 7951, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x348), length 628
> 17:02:20.111446 IP (tos 0x68, ttl 50, id 7952, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x349), length 628
> 17:02:20.111526 IP (tos 0x68, ttl 50, id 7953, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x34a), length 628
> 17:02:20.111599 IP (tos 0x68, ttl 50, id 7954, offset 0, flags [none], proto UDP
> (17), length 656)
>      89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap:
> ESP(spi=0x0a11bcfe,seq=0x34b), length 628
> 17:02:20.112186 IP (tos 0x0, ttl 255, id 43544, offset 0, flags [none], proto
> UDP (17), length 112)
>
>
>
> > Try wireshark on the windows host itself to collect the traffic before
> > entering the tunnel may help.
>
> Yes, I will do some more exact tracing on Windows; some previous efforts
> in this direction didn't help, but I can try again.
>
>
>   Verbose curl logging (-vvv) is another
> > source of information
>
> Yes, unfortunately exactly no data comes back in this case, just the
> initial debug for a connection; it'll just eventually timeout.
>
> Thanks.
>
>
>

More information about the openwrt-devel mailing list