[strongSwan] Header verification failed and NAT mapping changed

Kim Zeitler Kim.Zeitler at konzept-is.de
Tue Mar 20 17:08:29 CET 2012

Hi Tobias,

> I forgot about this yesterday, but this was actually a bug in 4.5.0.
> While charon detects that it is behind a NAT, and properly responds to
> requests, it does not update the port internally and still uses port 500
> for its own requests and for installing the SA in the kernel.
> Please update to a more recent release (at least 4.5.1) or try to apply
> the patch at [1].

thanks for your help,
I updated the 4.5.0 Version to a 4.6.2 and it seems that it solved the
log entries.

The connection still seems a bit unstable, but I will observe it more
and try to figure out what causes it. Is much easier without the now
missing errors.

Thanks again.

> > What I also noticed in this setup, that if both sides only call
> > auto=route in the configuration I can see the configuration with ipsec
> > statusall, but no SA is installed on receiving traffic to the other
> > network.
> On both sides?  Or only on moon?  You can check with ip xfrm policy if
> the policies are properly installed.  The logs should then show what
> happens if matching traffic is received (acquire etc.).
Is a productive system and for the users sake can't take it down just
for a test or two.


More information about the Users mailing list