[Vpn-help] Wrong IKE port?
mgrooms at shrew.net
Thu Feb 7 22:43:46 CST 2008
David Santinoli wrote:
> Needless to say, the connection fails to be established.
> Regarding the circumstances under which this behavior is displayed, I
> haven't come to a definite conclusion yet, but it looks like it's more
> likely to happen immediately after a failed connection attempt (this
> makes me think of iked incorrectly retaining a previous NAT-T detection
IKE communications on port 4500 is quite normal when Nat Traversal
support is used. Take a look at RFC 3947 "Negotiation of NAT-Traversal
in the IKE" section 4 entitiled "Changing to Now Ports".
If your gateway does not support the RFC version of NAT-T ( actually
Draft2 up to the RFC version, there were several drafts ), the client
will not change to port 4500 unless you have one of the force options
selected under the client tab. This feature is normally negotiated
automatically by examining the vendor IDs supplied during phase1 setup.
I believe StrongSwan has supported NAT-T for quite some time.
It sounds like you have discovered an internal state issue with the IKE
daemon. Can you restart the IKE daemon service, reproduce the issue,
stop the service and send me the log output? Hopefully I can determine
the series of events that cause iked to get confused and correct the
More information about the vpn-help