[Swan] IPv6 Question

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Jul 13 22:57:01 EEST 2022

On 7/13/2022 5:43 PM, Paul Wouters wrote:

> On Wed, 13 Jul 2022, Mirsad Goran Todorovac wrote:
>> There seems to be a gotcha here: Windows 10 VPN client attempts to 
>> connect to port 4500 (nat-t-ike):
>> 16:29:26.860159 IP6 (flowlabel 0xd2a37, hlim 128, next-header UDP 
>> (17) payload length: 1264) 2001:b68:2:2600::51.4500 > 
>> 2001:b68:2:2600::3.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 
>> 00000001 cookie 9db4ab32a688a0c0->bbedac47611d87f2: child_sa  
>> ikev2_auth[I]:
>>     (#53) [|v2IDi]
> That makes sense. It detected NAT so it has to switch to use port 4500.
Actually, the address 2001:b68:2:2600::51 is static to the client PC. It 
shouldn't do the NAT thing. :-/
>> And here you say you do not listen on 4500: 
>> https://lists.libreswan.org/pipermail/swan/2018/002487.html
> Ohh, you are NATed on IPv6? I am not sure if we support that.
> Ignore that older message of me. Please ensure udp port 4500
> on the libreswan server is reachable from the internet.

I'll have to test for every provider I connect with.

Sometimes it is not our choice. And most of the times, I choose direct 
SLAAC or better DHCPv6 with DDNS.

But I can't seem to find how to prevent Win 10 VPN client from trying to 
establish a NAT connection. I will try more Googling.


Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list