[strongSwan] Header verification failed and NAT mapping changed

Tobias Brunner tobias at strongswan.org
Mon Mar 19 16:24:06 CET 2012

Hi Kim,

> On our IPSec GW moon we can see following message repeatedly in our log
> files:
> ------------------------
> Mar 19 11:02:45 moon charon: 14[NET] sending packet: from
>[4500] to sun[500]

Very strange.  Due to the NAT this packet should actually be sent from
port 4500 to port 4500.  The complete log of moon (and sun) would help
to see whether there is something wrong with the NAT detection etc.

> Mar 19 11:02:46 moon charon: 01[KNL] NAT mappings of ESP CHILD_SA
> with SPI c2aa0995 and reqid {804} changed, queuing update job

This seems strange too as this should not really happen for the host
*behind* the NAT (unless the other end is natted too, of course) - and
only if the actual endpoints have changed.  A possible reason could be
that sun sends ESP packets from port 4500 while moon has port 500
configured (if the port used above is any indication).

> Moon is running: Linux strongSwan U4.5.0/K2.6.37.6-0.5-desktop
> Sun is running:  Linux strongSwan U4.2.8/K2.6.27.7-9-pae

Hm, 4.2.8 is quite old not sure if that plays a part in this.


More information about the Users mailing list