[strongSwan] NAT port 4500 collisions

Daniel Pocock daniel at pocock.com.au
Thu Jul 4 20:46:37 CEST 2013

StrongSwan is working quite well from my OpenWRT router

However, I'd also like to have a laptop on the wifi, using a private IP,
making an IPsec connection to an external host

I notice that the NAT implementation in OpenWRT sends the packets to the
external host with source port 4500 and the external host sends them
back to port 4500

This seems completely broken, because the ipsec daemon "charon" is bound
to port 4500 on the router, so I would have expected the NAT to rewrite
the source port to some other value when sending out the packet

When OpenWRT receives a reply, I would presume that it would not be able
to work out whether it is destined for the local charon instance in the
router or for the NAT user.

Has anybody else seen issues like this with OpenWRT or
iptables/netfilter in general?

Here is a diagram:

[Laptop] (charon bound on 4500)
    | -> VPN gateway IP:4500
[OpenWRT] (charon bound on 4500)
    |          WAN IP:4500 -> VPN gateway IP:4500
[Some server] (charon bound on 4500)

More information about the Users mailing list