[strongSwan] strongswan seems to go mad after some time

Martin Willi martin at strongswan.org
Mon Oct 4 14:37:40 CEST 2010

> Because with NAT the sport can be different anyways (due to the NAT) and
> with non-NAT the port 500 seems to be configurable in strongswan.

The initiators source port might be any, as a NAT device might map port
500 and also port 4500 to different ports.

> Is the port 4500 also configurable?

There are the left/rightikeport options supported via the special
socket-dynamic plugin as initiator. But it is not recommended unless you
know exactly what you are doing. Port floating/non-ESP markers are not
really defined in IKEv2 with custom ports.

> rekey = yes is important, or otherwise my connections will be closed after
> the end of the key lifetime.

Rekeying establishes fresh keys for the IKE_SA. If you set rekey=no,
you'll use the same keys as long as the IKE_SA is alive.

> reauth = yes means just that if a rekey happens, than the authentication
> (e.g. via certificates) is also re-done.


> Mhh ok,.. yeah,.. perhaps with one exception, that one peer looses his
> credentials (the cert) completely, or it expires?!


> btw: is there some bug-tracker for strongswan, where one could hook up
> such issues in order to allow end users (like me) to some how trace these
> things better?

Our Redmine Wiki has an issue tracking system [1].



More information about the Users mailing list