[strongSwan] ESP-encap port different than 4500

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 8 16:25:08 CET 2021


Hi,

Set remote and local IKE ports to something else than 500 and NON-ESP markers are set automatically, so NAT-T is then on by default, so to say. Just start off with port 4510. No need to float up. :)

Kind regards

Noel

Am 08.01.21 um 15:09 schrieb Michael Schwartzkopff:
> Hi,
> 
> 
> I have two different VPN servers behind ONE NAT address. Yes, I know it
> is nonsense, but it is the situation given here.
> 
> 
> One runs with 500/4500. Everything is find. I configured the firewall to
> forward packets on these port to the first VPN server.
> 
> 
> I want to use port 510 and 4510 for the second server. I configured
> charon.conf according.
> 
> On the client side I configured rightikeport=510. So the client sends
> the init request from port 500 to port 510. The server recognizes the
> NAT-T on both ends, sends back the response.
> 
> 
> The clients sends third packet from port 4500 to port 4500, which fails
> of course.
> 
> 
> Is there any possibility to tell the client to use port 45100 of the
> ESP-encap port?
> 
> 
> Mit freundlichen Grüßen,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210108/b6cb6535/attachment.sig>


More information about the Users mailing list