[strongSwan] NAT port 4500 collisions

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Fri Jul 5 13:51:38 CEST 2013

On Thu, Jul 04, 2013 at 08:46:37PM +0200, Daniel Pocock wrote:
> StrongSwan is working quite well from my OpenWRT router
> However, I'd also like to have a laptop on the wifi, using a private IP,
> making an IPsec connection to an external host
> I notice that the NAT implementation in OpenWRT sends the packets to the
> external host with source port 4500 and the external host sends them
> back to port 4500
> This seems completely broken, because the ipsec daemon "charon" is bound
> to port 4500 on the router, so I would have expected the NAT to rewrite
> the source port to some other value when sending out the packet

SNAT only rewrites the source port if necessary, which may not be the
case here.

> When OpenWRT receives a reply, I would presume that it would not be able
> to work out whether it is destined for the local charon instance in the
> router or for the NAT user.

For incoming packets, the SNAT is undone first, then the packet is checked
if it is addressed to the local machine or needs to be forwarded.

So the netfilter code has to decide if an incoming packet is a reply
to a previouly NAT'ed outgoing packet and needs to have its NAT undone.
This decision is based on many parameters, including source and
destination IP addresses and ports, which are stored in the connection
tracking table:
# cat /proc/net/nf_conntrack

Netfilter avoids rewriting the source port on outgoing packets during
SNAT/MASQUERADE if the connection entry is already unique. This is how
I understand the documentation, you may want to check yourself to be

> Has anybody else seen issues like this with OpenWRT or
> iptables/netfilter in general?

Does your laptop receive any answers to its outgoing IKE or ESP-in-UDP
packets? You didn't mention if anything is actually broken here.

You could temporarily shut down the charon daemon on the OpenWRT router
if you suspect any interference.

Are you just trying to understand netfilter's NAT behaviour?
I have not tried your scenario myself, but I believe netfilter works
quite well if the rules are set up correctly.


More information about the Users mailing list