2 files changed, 8 insertions, 12 deletions

diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
index 6dbd1bafd..a62886f02 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -468,18 +468,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
 	{
-		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
 		process_payloads(this, message);
-
-		/* if peer supports NAT-T and MOBIKE, we switch to port 4500 even
-		 * if no NAT is detected. MOBIKE requires this. */
-		if (peer_cfg->use_mobike(peer_cfg) &&
-			this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) &&
-			this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
-		{
-			this->ike_sa->float_ports(this->ike_sa);
-		}
 		return SUCCESS;
 	}
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c
index c731178bb..aa0d3ec1c 100644
--- a/src/libcharon/sa/tasks/ike_natd.c
+++ b/src/libcharon/sa/tasks/ike_natd.c
@@ -264,7 +264,14 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
+			/* if peer supports NAT-T, we switch to port 4500 even
+			 * if no NAT is detected. can't be done later (when we would know
+			 * whether the peer supports MOBIKE) because there would be no
+			 * exchange to actually do the switch (other than a forced DPD). */
+			(peer_cfg->use_mobike(peer_cfg) &&
+			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
 		{
 			this->ike_sa->float_ports(this->ike_sa);
 		}