Hello Holger, it is important to understand that NAT-Traversal is implemented differently in the IKEv1 pluto and IKEv2 charon daemons, respectively.
IKEv1 pluto ----------- Since the original IKEv1 standard originally didn't have NAT-T support and was added later on by RFC 3947 "Negotiation of NAT-Traversal in the IKE", NAT-T is disabled by default in the pluto daemon and must explicitly be enabled using the parameter nat_traversal=yes With NAT-T enabled, pluto will float to UDP port 4500 starting with the third IKEv1 Main Mode message exchange if a NAT situation was detected using the NAT-D payloads during the second message exchange. IKEv2 charon ------------ The nat_traversal parameter is ignored by the IKEv2 daemon since NAT detection and ensuing NAT traversal is always active and cannot be deactivated. What's probably confusing you is the mobike=yes parameter which activates the IKEv2 Mobility and Multihoming Protocol (RFC 4555 MOBIKE) by default. During the initial negotiation the IKE_SA_INIT request/response pair is always sent on UDP port 500 but with MOBIKE enabled the port always floats to UDP port 4500 starting with the IKE_AUTH request/response pair even if *no* NAT situation is detected. If you want IKEv2 to behave in the same way as IKEv1 then please deactivate MOBIKE with mobike=no Please be aware that a serious NAT-T bug was fixed in strongSwan 4.5.1 and later versions which in the case of a responder sitting behind a NAT router, caused the host to answer requests sent on port 4500 on port 500 instead. Hope this helps! Kind regards Andreas On 07/21/2011 02:38 PM, Holger Metschulat wrote: > Hi all, > > I have a problem understanding how NAT Traversal is implemented in > StrongSwan. > > I thought that an IPSEC endpoint which is enabled for NAT Traversal will > listen on Port 500 and Port 4500. Any IKE negotiation starts on port 500 > first, when a NAT device is detected, the negotiation continues on port > 4500. > > Playing around with StrongSwan, nat_traversal=no has StrongSwan > listening only on port 500 (and using port 500 for connections); > nat_traversal=yes moves the listening port and destination port to 4500. > This is contrary to what my belief was how NAT Traversal works. > > Can you comment please? > > Regards, > Holger > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
