Hi Jessie, it is the IPsec ESP traffic which is encapsulated in UDP datagrams. The IKE protocol is always based on UDP with well-known source and destination port 500. When a NAT situation is detected then the source port is allowed to assume any port number and the UDP socket *must* float to 4500 in order to avoid conflicts with IPsec pass-through based on port forwarding.
Best regards Andreas Jessie Liu wrote: > Hi all, I have a question about NAT and IPsec. I know that UDP > encapsulation is used to solve the IPsec packet passing through NAT > device problem. Does this apply to both IKE negotiation procedures > and all following IPsec traffic communication between two ends? And > floating to port 4500 is necessary with NAT device? > > Thanks in advance!! ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
