[Vpn-help] Wrong IKE port?

David Santinoli marauder at tiscali.it
Fri Feb 8 03:59:24 CST 2008


On Thu, Feb 07, 2008 at 10:43:46PM -0600, Matthew Grooms wrote:
> 
> IKE communications on port 4500 is quite normal when Nat Traversal 
> support is used. Take a look at RFC 3947 "Negotiation of NAT-Traversal 
> in the IKE" section 4 entitiled "Changing to Now Ports".

Hi Matthew,
  yes, I was aware of this.  But as far as I knew, negotiation should
always start at port 500, then eventually transition to 4500 upon
detecting NAT.  What struck me as odd was the attempt to use port 4500
since the very first phase of the conversation.

> It sounds like you have discovered an internal state issue with the
> IKE daemon. Can you restart the IKE daemon service, reproduce the
> issue, stop the service and send me the log output? Hopefully I can
> determine the series of events that cause iked to get confused and
> correct the problem.

Sure.  I'll provide the dump off-list.

Cheers,
 David
-- 
 David Santinoli
 Tieffe Sistemi S.r.l.                      viale Piceno 21, Milano
 www.tieffesistemi.com                         tel. +39 02 76115215



More information about the vpn-help mailing list