Post by THaala » 07 Sep 2021, 14:33


i wonder why some ipsec SA can exist without covered ike negotiation.
I have a lot of "LAST RESORT" - VPN. Clients connect from mobile provider radio networks.
Because of all IPs are NATted very often this type of VPN works in IKEv1 with aggessive mode and NAT Traversal only.

However, because the of NATted IP-Addresses this cannot be used as Identity. Only FQDN or USER FQDN works as identity. It seems that clavister (W30 / V13.00.12) checks only the match of the shared secret. The identitiy seems always accepted but should not duplicate.

With "ike -show -num=all" i can see a lot of identity strings but not all. "ipsec -show -num=all" shows some ntworks which are correctly connected in same manner as others but the (well known) identity is not shown with matching ike command. ike command shows only a subset of it and only 16 signs of the identity - string.

i ask you now how this can happen. In my opinion an acive sa must be paired by an active ike cover - isnt'it?
Where are the missing identiity strings, or better the missing ike entries?

Aggressive mode, USER FQDN Identity, encr AES256, SHA1, NATT enabled
IKE 28800 secs, DH group2, IPSEC 3600 secs / no Kilobytes PFS group 2.


