[strongSwan] NAT Traversal - Issues in understanding

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 21 15:09:27 CEST 2011

Hello Holger,

it is important to understand that NAT-Traversal is implemented
differently in the IKEv1 pluto and IKEv2 charon daemons, respectively.

IKEv1 pluto

Since the original IKEv1 standard originally didn't have NAT-T support
and was added later on by RFC 3947 "Negotiation of NAT-Traversal in
the IKE", NAT-T is disabled by default in the pluto daemon and must
explicitly be enabled using the parameter


With NAT-T enabled, pluto will float to UDP port 4500 starting with
the third IKEv1 Main Mode message exchange if a NAT situation was
detected using the NAT-D payloads during the second message exchange.

IKEv2 charon

The nat_traversal parameter is ignored by the IKEv2 daemon since
NAT detection and ensuing NAT traversal is always active and cannot
be deactivated. What's probably confusing you is the


parameter which activates the IKEv2 Mobility and Multihoming Protocol
(RFC 4555 MOBIKE) by default. During the initial negotiation the
IKE_SA_INIT request/response pair is always sent on UDP port 500
but with MOBIKE enabled the port always floats to UDP port 4500
starting with the IKE_AUTH request/response pair even if *no*
NAT situation is detected. If you want IKEv2 to behave in the same
way as IKEv1 then please deactivate MOBIKE with


Please be aware that a serious NAT-T bug was fixed in strongSwan
4.5.1 and later versions which in the case of a responder sitting
behind a NAT router, caused the host to answer requests sent on
port 4500 on port 500 instead.

Hope this helps!

Kind regards


On 07/21/2011 02:38 PM, Holger Metschulat wrote:
> Hi all,
> I have a problem understanding how NAT Traversal is implemented in
> StrongSwan.
> I thought that an IPSEC endpoint which is enabled for NAT Traversal will
> listen on Port 500 and Port 4500. Any IKE negotiation starts on port 500
> first, when a NAT device is detected, the negotiation continues on port
> 4500.
> Playing around with StrongSwan, nat_traversal=no has StrongSwan
> listening only on port 500 (and using port 500 for connections);
> nat_traversal=yes moves the listening port and destination port to 4500.
> This is contrary to what my belief was how NAT Traversal works.
> Can you comment please?
> Regards,
> Holger

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list