[strongSwan] NAT port 4500 collisions

Daniel Pocock daniel at pocock.com.au
Fri Jul 5 11:41:29 CEST 2013

On 05/07/13 09:19, Martin Willi wrote:
> Daniel,
>> I notice that the NAT implementation in OpenWRT sends the packets to the
>> external host with source port 4500 and the external host sends them
>> back to port 4500
>> This seems completely broken, because the ipsec daemon "charon" is bound
>> to port 4500 on the router, so I would have expected the NAT to rewrite
>> the source port to some other value when sending out the packet
> I think your NAT rules really should not rewrite ports to something that
> the router is listening on.
I agree - but I am using the default NAT settings from OpenWRT

The only changes I made are opening up the ports for IPsec to hit the
router, but the NAT has not been changed.

So I suspect this is an issue in the way OpenWRT sets up NAT, not
necessarily a strongSwan fault.  I've also shared these observations on
the OpenWRT users list.

> If you are running the socket-raw plugin (with 4.x), this could well
> explain the behavior. With that plugin, charon does not bind to port
> 4500 to avoid any conflicts with the pluto daemon.
I'm not using the pluto daemon, it is all ikev2

The charon instance on the router needs to listen on 4500 to receive
incoming connections doesn't it?

> But if you are not running socket-raw (or 5.x) on the router, something
> is wrong with your NAT rules.

It is v5.0.0-1 on OpenWRT

More information about the Users mailing list