UPD Sourceport change breaks natted IPSEC-Connections

[vondralbra]

After upgrading to VBox 3.1.8 a lot of disconnects of a previously working IPSEC(nat)-Tunnel are sighted. Especially when the IPSEC connection gets a bit of a load the connection gets stuck and times out after a while.

When the traffic on the router is monitored there is a sourceport change to be seen.
The IPSEC on the gateway machine tries in vain to send packages to the old port and eventually times out.
07:02:09.521426 IP 217.XXX.XXX.XXX.4500 > 91.XXX.XXX.XXX.54800: UDP-encap: ESP(spi=0xcefe8399,seq=0x74c), length 388

07:02:09.522515 IP 91.XXX.XXX.XXX.54800 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(spi=0xcd0add00,seq=0x76f), length 244

07:02:09.605433 IP 217.XXX.XXX.XXX.4500 > 91.XXX.XXX.XXX.54800: UDP-encap: ESP(spi=0xcefe8399,seq=0x74d), length 340

07:02:09.606553 IP 91.XXX.XXX.XXX.54800 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(spi=0xcd0add00,seq=0x770), length 356

07:02:09.693363 IP 217.XXX.XXX.XXX.4500 > 91.XXX.XXX.XXX.54800: UDP-encap: ESP(spi=0xcefe8399,seq=0x74e), length 196

the connection is fine up to that point where the router suddenly sends packets using the source-port 45102 instead of the old 54800 which worked:

07:02:09.693864 IP 91.XXX.XXX.XXX > 217.XXX.XXX.XXX: ICMP 91.XXX.XXX.XXX udp port 54800 unreachable, length 232

07:02:09.931251 IP 91.XXX.XXX.XXX.45102 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(spi=0xcd0add00,seq=0x772), length 356

07:02:10.018333 IP 217.XXX.XXX.XXX.4500 > 91.XXX.XXX.XXX.54800: UDP-encap: ESP(spi=0xcefe8399,seq=0x74f), length 116

07:02:10.018649 IP 91.XXX.XXX.XXX > 217.XXX.XXX.XXX: ICMP 91.XXX.XXX.XXX udp port 54800 unreachable, length 152

07:02:10.029414 IP 217.XXX.XXX.XXX.4500 > 91.XXX.XXX.XXX.54800: UDP-encap: ESP(spi=0xcefe8399,seq=0x750), length 196

07:02:10.029914 IP 91.XXX.XXX.XXX > 217.XXX.XXX.XXX: ICMP 91.XXX.XXX.XXX udp port 54800 unreachable, length 23

[vasily Levchenko]

Could you please attach the log? And does it appear in 3.1.8 or earlier. In other words does 3.1.6 work as it's expected for you?

[vondralbra]

Hello Hachi,

thanks for the swift reply. Of course there is no log of that session.
Should have known that this question would pop up.
Checking the IPSEC-config of the appliance I saw that the DPD-Keepalive had been set to 5 seconds. I set that value to 2 seconds this evening to keep the UDP-mapping table from overflowing.
And - on top of that - I'm not so sure anymore whether this bug report belongs to VirtualBox but more to the IPSEC-software which should not time out because of a port change according to rfc3947. I'll dig deeper into that and post results as soon as available.

t++

[vondralbra]

I went a bit into this issue and found out that for some odd reasons beyond my comprehension the kernel modules were not been built by the Package-Installer. After I built the modules by issuing a "/etc/init.d/vboxdrv setup" all went fine and dandy. Even the ridiculous ping time from a natted guest to the host system were gone. Sorry for the nuisance. Should have checked this first. It's a definite close for that ticket. Thank you one more time.

[vasily Levchenko]

Replying to vondralbra: Ok, will close.