[strongSwan] No udp encapsulation behind a NAT device?

Tobias Brunner tobias at strongswan.org
Tue Aug 4 10:36:21 CEST 2015

Hi Michael,

> VPN connection is established:

There are no CHILD_SAs listed there.  Only IKE_SAs.  Could you send the
logs of when the SAs are established (including the initial messages
where the NAT is detected).  What strongSwan version(s) are you using?

> If I configure forceencaps then the xfrm policy is not set up

Why?  What is logged?  Anyway, if it doesn't work with forceencaps,
which randomizes NAT-D payloads to fake a NAT situation, it probably
won't work either if an actual NAT is detected otherwise.


More information about the Users mailing list