<br><font size=2 face="sans-serif">Hi..</font>
<br>
<br><font size=2 face="sans-serif">Two Openswan gateways are talking to
eachother. <b>ISAKMP SA established</b> and <b>IPsec SA established.
</b>No problem at this stage,but NAT-T is not working. One of the gateways
is behind a NAT device while the other uses public ip address address.</font>
<br>
<br><font size=2 face="sans-serif">I get the following debug output.</font>
<br>
<br><font size=2 face="sans-serif">May 30 12:37:03 vizyon kernel: klips_debug:ipsec_rcv:
IKE packet - not handled here</font>
<br><font size=2 face="sans-serif">May 30 12:37:33 vizyon kernel: klips_debug:ipsec_spi_get_info:
buffer=0pd7b86000, *start=0p00000000, offset=0, length=3072</font>
<br><font size=2 face="sans-serif">May 30 12:37:33 vizyon kernel: klips_debug:ipsec_spi_get_info:
buffer=0pd7b86000, *start=0p00000000, offset=898, length=3072</font>
<br><font size=2 face="sans-serif">May 30 12:37:33 vizyon kernel: klips_debug:ipsec_rcv:
suspected ESPinUDP packet (NAT-Traversal) [1].</font>
<br><font size=2 face="sans-serif">May 30 12:37:33 vizyon kernel: klips_debug:
IP: ihl:20 ver:4 tos:0 tlen:112 id:0 DF frag_off:0 ttl:57 proto:17
(UDP) chk:37785 saddr:212.64.209.131:500 daddr:10.34.253.253:500</font>
<br>
<br><font size=2 face="sans-serif">Here is the status screen</font>
<br>
<br>
<br><font size=2 face="sans-serif">[root@vizyon root]# ipsec auto status</font>
<br><font size=2 face="sans-serif">ipsec auto: warning: obsolete command
syntax used</font>
<br><font size=2 face="sans-serif">000 interface ipsec0/eth1 10.34.253.253</font>
<br><font size=2 face="sans-serif">000 interface ipsec0/eth1 10.34.253.253</font>
<br><font size=2 face="sans-serif">000 %myid = (none)</font>
<br><font size=2 face="sans-serif">000 debug nattraversal</font>
<br><font size=2 face="sans-serif">000</font>
<br><font size=2 face="sans-serif">000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=64, keysizemin=192, keysizemax=192</font>
<br><font size=2 face="sans-serif">000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=128, keysizemin=128, keysizemax=256</font>
<br><font size=2 face="sans-serif">000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128</font>
<br><font size=2 face="sans-serif">000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160</font>
<br><font size=2 face="sans-serif">000</font>
<br><font size=2 face="sans-serif">000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192</font>
<br><font size=2 face="sans-serif">000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128</font>
<br><font size=2 face="sans-serif">000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16</font>
<br><font size=2 face="sans-serif">000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144</font>
<br><font size=2 face="sans-serif">000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192</font>
<br><font size=2 face="sans-serif">000</font>
<br><font size=2 face="sans-serif">000 stats db_ops.c: {curr_cnt, total_cnt,
maxsz} :context={0,2,36} trans={0,2,72} attrs={0,2,48}</font>
<br><font size=2 face="sans-serif">000</font>
<br><font size=2 face="sans-serif">000 "Hedef": 10.34.5.0/24===10.34.253.253[81.214.55.178]---10.34.253.254...212.64.209.131===10.34.254.0/24;
erouted; eroute owner: #2</font>
<br><font size=2 face="sans-serif">000 "Hedef":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;</font>
<br><font size=2 face="sans-serif">000 "Hedef": ike_life:
3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0</font>
<br><font size=2 face="sans-serif">000 "Hedef": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;</font>
<br><font size=2 face="sans-serif">000 "Hedef": dpd: action:restart;
delay:30; timeout:120;</font>
<br><font size=2 face="sans-serif">000 "Hedef": newest
ISAKMP SA: #1; newest IPsec SA: #2;</font>
<br><font size=2 face="sans-serif">000 "Hedef": IKE algorithm
newest: 3DES_CBC_192-MD5-MODP1536</font>
<br><font size=2 face="sans-serif">000 "Hedef": ESP algorithms
wanted: 3_000-1, flags=-strict</font>
<br><font size=2 face="sans-serif">000 "Hedef": ESP algorithms
loaded: 3_000-1, flags=-strict</font>
<br><font size=2 face="sans-serif">000 "Hedef": ESP algorithm
newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1></font>
<br><font size=2 face="sans-serif">000</font>
<br><font size=2 face="sans-serif">000 #2: "Hedef":500 STATE_QUICK_I2
(sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25764s; newest IPSEC;
eroute owner</font>
<br><font size=2 face="sans-serif">000 #2: "Hedef" esp.9b76a7a9@212.64.209.131
esp.1b71fb5a@10.34.253.253 tun.1002@212.64.209.131 tun.1001@10.34.253.253</font>
<br><font size=2 face="sans-serif">000 #1: "Hedef":500 STATE_MAIN_I4
(ISAKMP SA established); EVENT_SA_REPLACE in 850s; newest ISAKMP; lastdpd=25s(seq
in:17211 out:0)</font>
<br>
<br>
<br><font size=2 face="sans-serif">Help is appreciated..</font>
<br><font size=2 face="sans-serif">Thanks in advance..</font>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">İhsan Türkmen<br>
Hedef Alliance Holding A.Ş.<br>
Bilgi Sistemleri Direktörlüğü<br>
<br>
Namık Kemal Cad. Göztepe Mah.<br>
Karanfil Sok. No: 62<br>
34550 Bağcılar / İstanbul/TR<br>
Tel : +90 (212) 445 50 95<br>
Fax: +90 (212) 445 97 54<br>
</font><pre>Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.
Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine ait olup,Hedef Alliance Holding A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz.
This message and attachments are confidential and intended solely for the individual(s) stated in this message. This email is not intended to impose nor shall it be construed as imposing any legally binding obligation upon Hedef Alliance Holding A.S. and/or any of its subsidiaries or associated companies. Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system.</pre>