[strongSwan] NAT Traversal - Issues in understanding

Holger Metschulat holger.metschulat at arcor.de
Thu Jul 21 14:38:23 CEST 2011

Hi all,

I have a problem understanding how NAT Traversal is implemented in

I thought that an IPSEC endpoint which is enabled for NAT Traversal will
listen on Port 500 and Port 4500. Any IKE negotiation starts on port 500
first, when a NAT device is detected, the negotiation continues on port

Playing around with StrongSwan, nat_traversal=no has StrongSwan
listening only on port 500 (and using port 500 for connections);
nat_traversal=yes moves the listening port and destination port to 4500.
This is contrary to what my belief was how NAT Traversal works.

Can you comment please?


More information about the Users mailing list