[strongSwan] NAT mappings of ESP CHILD_SA changed !!!

Tobias Brunner tobias at strongswan.org
Tue Aug 20 09:06:58 CEST 2013


Hi,

> Looks like the Second Solution is Not working. Even though I configured
> /etc/strongswan.conf with charon.keep_alive = 0 on both initiator and
> responder, it looks like this configuration is Not reflecting at all.
> Still I see Keep-alive Packets are going over Standard NAT-T Ports every
> 10 seconds. (Initiator Strongswan - 5.0.1 & Receiver Strongswan - 5.1.0)

That's because the change back to port 4500 is not caused by keepalive
packets (which are silently ignored as they are not authenticated) but
by DPD packets (check dpd... options in ipsec.conf).  But any valid IKE
packet could cause such a change.

You may theoretically patch kernel_handler.c so that no update_sa_job is
created when the kernel detects a changed NAT mapping for ESP packets.
strongSwan would then ignore the changed ports and not update the SA.
But I don't think this is optimal as the kernel will still create events
for each received packet with a different port.

What's the point of changing the ports for certain traffic anyway?

Regards,
Tobias




More information about the Users mailing list