Discussion:
[strongSwan] left|rightikeport obsolete?
Harald Dunkel
2018-07-23 13:44:53 UTC
Permalink
Hi folks,

the documentation say for left|rightikeport

"If unspecified, port 500 is used with the port floating to 4500 if a
NAT is detected ..."

This sounds pretty vague. I would like to tell strongswan to use 443/udp
for NAT traversal and dead peer detection, and to use port 500/udp for
isakmp as usual. AFAICT this can be done with charon.port and charon.\
port_nat_t, so I wonder what is left|rightikeport good for?


Every insightful comment is highly appreciated
Harri
Tobias Brunner
2018-07-23 13:59:54 UTC
Permalink
Hi Harald,
Post by Harald Dunkel
This sounds pretty vague. I would like to tell strongswan to use 443/udp
for NAT traversal and dead peer detection, and to use port 500/udp for
isakmp as usual. AFAICT this can be done with charon.port and charon.\
port_nat_t, so I wonder what is left|rightikeport good for?
`leftikeport` only fully works in combination with the socket-dynamic
plugin, which allows using an arbitrary configured source port (as long
as you only configure one of the two ports that the socket-default
plugin opened it also works with that). `rightikeport` is used to
connect to a specific destination port (must be the NAT-T port of the
server). The two settings in strongswan.conf specify the ports bound by
the socket-default plugin (may be set to 0 to use random ports, which is
useful on clients). Regarding the use of custom server ports, see [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal#Custom-Server-Ports
Loading...