[strongSwan] Help with StrongSwan 4.3.4 and NAT-T

Bob McChesney bmcchesney at gmail.com
Mon Mar 29 11:37:32 CEST 2010

Hi Andreas,

Thank you for your suggestion. I would be happy to use IKEv2 for
StrongSwan to StrongSwan instances, but unfortunately we have some
sites that are not StrongSwan and only support IKEv1.

For example we have one site with a WatchGuard using IKEv1 behind NAT.
Unfortunately, if the WatchGuard is restarted after a connection is
established, then (as described previously) StrongSwan won't accept
packets over UDP 500 until it too is restarted.

I presumed a case demonstrating the problem with only StrongSwan would
be preferable.

Do you know if there should be a way to resolve this problem, or is
IKEv1 with NAT-T not supported by StrongSwan any more?

Bob McChesney

On 24 March 2010 11:03,  Andreas Steffen wrote:
> Hello Bob,
> why don't you just switch to IKEv2 (keyexchange=ikev2) which
> is a much more stable and robust protocol?
> Regards
> Andreas

More information about the Users mailing list