[Swan] Libreswan NAT-T Source port
Paul Wouters
paul at nohats.ca
Thu Apr 20 15:11:54 UTC 2017
On Thu, 20 Apr 2017, Madden, Joe wrote:
> I have an issue between a libreswan and a StrongSwan instance.
>
> When Stronswan initiates the connection it comes up OK. When we initiate it the IKE v1 is established, but phase 2 NAT-T becomes erouted but we have no traffic flow.
Can you check with "ip xfrm pol" and "ip xfrm state" on both ends and
see if that matches?
> Looking at this, I've found that when we initiate the connection the source port of our packet is 1024 and not 4500 as I would expect.
The initiator's port can be any source port, as a NAT could be changing
this from 4500 to any other random port. The destination port remains
4500. So any firewall rule would need to allow Any port from/to port
4500.
> Is this normal behaviour?
Yes, it seems a NAT has decided port 4500 was already in use, and used
NAT to change it to 1024.
Paul
More information about the Swan
mailing list