[Vpn-help] Wrong IKE port?
Matthew Grooms
mgrooms at shrew.net
Thu Feb 7 22:43:46 CST 2008
David Santinoli wrote:
>
> Needless to say, the connection fails to be established.
>
> Regarding the circumstances under which this behavior is displayed, I
> haven't come to a definite conclusion yet, but it looks like it's more
> likely to happen immediately after a failed connection attempt (this
> makes me think of iked incorrectly retaining a previous NAT-T detection
> result).
>
Hi David,
IKE communications on port 4500 is quite normal when Nat Traversal
support is used. Take a look at RFC 3947 "Negotiation of NAT-Traversal
in the IKE" section 4 entitiled "Changing to Now Ports".
http://tools.ietf.org/html/rfc3947
If your gateway does not support the RFC version of NAT-T ( actually
Draft2 up to the RFC version, there were several drafts ), the client
will not change to port 4500 unless you have one of the force options
selected under the client tab. This feature is normally negotiated
automatically by examining the vendor IDs supplied during phase1 setup.
I believe StrongSwan has supported NAT-T for quite some time.
It sounds like you have discovered an internal state issue with the IKE
daemon. Can you restart the IKE daemon service, reproduce the issue,
stop the service and send me the log output? Hopefully I can determine
the series of events that cause iked to get confused and correct the
problem.
Thanks,
-Matthew
More information about the vpn-help
mailing list