[strongSwan] Header verification failed and NAT mapping changed

Tobias Brunner tobias at strongswan.org
Tue Mar 20 09:49:05 CET 2012

Hi Kim,

> Here are excerpts of the two log files. I tried to get similar time
> slot. I also added some further 'bits' where the behaviour seems a bit
> strange. Hope it helps.

Thanks for the logs.

> -- moon ipsec.log --
> Mar 19 16:12:07 moon charon: 14[NET] sending packet: from
>[4500] to sun[500]
> ...
> Mar 19 16:15:47 moon charon: 09[IKE] local host is behind NAT,
> sending keep alives
> ...
> Mar 19 16:15:48 moon charon: 12[NET] sending packet: from
>[4500] to sun[4500]

I forgot about this yesterday, but this was actually a bug in 4.5.0.
While charon detects that it is behind a NAT, and properly responds to
requests, it does not update the port internally and still uses port 500
for its own requests and for installing the SA in the kernel.

Please update to a more recent release (at least 4.5.1) or try to apply
the patch at [1].

> What I also noticed in this setup, that if both sides only call
> auto=route in the configuration I can see the configuration with ipsec
> statusall, but no SA is installed on receiving traffic to the other
> network.

On both sides?  Or only on moon?  You can check with ip xfrm policy if
the policies are properly installed.  The logs should then show what
happens if matching traffic is received (acquire etc.).


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2082417d

More information about the Users mailing list