On Thu, 20 Apr 2017, Madden, Joe wrote:
I have an issue between a libreswan and a StrongSwan instance.
When Stronswan initiates the connection it comes up OK. When we initiate it the
IKE v1 is established, but phase 2 NAT-T becomes erouted but we have no traffic
flow.
Can you check with "ip xfrm pol" and "ip xfrm state" on both ends and
see if that matches?
Looking at this, I've found that when we initiate the connection the source
port of our packet is 1024 and not 4500 as I would expect.
The initiator's port can be any source port, as a NAT could be changing
this from 4500 to any other random port. The destination port remains
4500. So any firewall rule would need to allow Any port from/to port
4500.
Is this normal behaviour?
Yes, it seems a NAT has decided port 4500 was already in use, and used
NAT to change it to 1024.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
