Thanks Paul.<div><br></div><div>Firewall in front of linux box HAVE ipsec ablitity,but not enabled,i'm sure about that.</div><div><br></div><div>you saied "<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); ">Your firewall is doing ipsec<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; ">",but firewall can not recive a package that is actually for other machine,right?</span></span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; "><br>
</span></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; ">You metioned udp port 4500,i don't see any packages coming from 4500 on both linux boxes.500 and 4500 all forward using DNAT.</span></span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; "><br>
</span></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; ">boxA--->firewallA------------firewallB<----boxB</span></span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; color: rgb(80, 0, 80); "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: arial; font-size: small; "><br>
</span></span></div><div>ping from boxA to boxB,tcpdump on firewallA shows an error of "protcol 50 unreachable",i don't know what's this mean,i think firewall don't kave to check ESP packages...</div>
<div><br></div><div>i still think about the command output of "NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation.". does it mean the linux box will not use nat-traversal to send package, and that may the course of protocol 50 unreachable on firewallA?</div>
<div><br></div><div><div class="gmail_quote">2010/1/8 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Fri, 8 Jan 2010, Zhiping Liu wrote:<br>
<br>
</div><div><div></div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi list...<br>
I have two linux box(openswan 2.6.23,kernel 2.6.28.9),both behind firewall(this might be a problem?),i used these two to<br>
build a network-to-network connection.<br>
it seems that the ipsec tuunel is up,route is set.but if i ping from one box to another,no icmp result !<br>
<br>
I set nat_traversal=yes in /etc/ipsec.conf,when i start up a connection use command:<br>
<br>
ipsec auto --up CONNECTION<br>
<br>
it says:<br>
<br>
NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation.<br>
<br>
But the two linux box is really behind a firewall,i don't know why openswan say "Only 0 NAT-D",anyone knows what<br>
mechanism is used to detect if ourself is nated or not?<br>
</blockquote>
<br></div></div><div><div></div><div class="h5">
Your firewall is doing ipsec or you are not forwarding all the right ports, and perhaps<br>
forgot port udp 4500?<br>
<br>
Paul<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>from Romeo<br>
</div>