[strongSwan] NAT port 4500 collisions

Martin Willi martin at strongswan.org
Fri Jul 5 09:19:04 CEST 2013


Daniel,

> I notice that the NAT implementation in OpenWRT sends the packets to the
> external host with source port 4500 and the external host sends them
> back to port 4500
> 
> This seems completely broken, because the ipsec daemon "charon" is bound
> to port 4500 on the router, so I would have expected the NAT to rewrite
> the source port to some other value when sending out the packet

I think your NAT rules really should not rewrite ports to something that
the router is listening on.

If you are running the socket-raw plugin (with 4.x), this could well
explain the behavior. With that plugin, charon does not bind to port
4500 to avoid any conflicts with the pluto daemon.

But if you are not running socket-raw (or 5.x) on the router, something
is wrong with your NAT rules.

Regards
Martin





More information about the Users mailing list