[Vpn-help] Wrong IKE port?

Matthew Grooms mgrooms at shrew.net
Thu Feb 7 22:43:46 CST 2008

David Santinoli wrote:
> Needless to say, the connection fails to be established.
> Regarding the circumstances under which this behavior is displayed, I
> haven't come to a definite conclusion yet, but it looks like it's more
> likely to happen immediately after a failed connection attempt (this
> makes me think of iked incorrectly retaining a previous NAT-T detection
> result).

Hi David,

IKE communications on port 4500 is quite normal when Nat Traversal 
support is used. Take a look at RFC 3947 "Negotiation of NAT-Traversal 
in the IKE" section 4 entitiled "Changing to Now Ports".


If your gateway does not support the RFC version of NAT-T ( actually 
Draft2 up to the RFC version, there were several drafts ), the client 
will not change to port 4500 unless you have one of the force options 
selected under the client tab. This feature is normally negotiated 
automatically by examining the vendor IDs supplied during phase1 setup. 
I believe StrongSwan has supported NAT-T for quite some time.

It sounds like you have discovered an internal state issue with the IKE 
daemon. Can you restart the IKE daemon service, reproduce the issue, 
stop the service and send me the log output? Hopefully I can determine 
the series of events that cause iked to get confused and correct the 



More information about the vpn-help mailing list