<font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">I habe experienced similar behaviour,
depending on the device that does the NAT:</font>
<br><font size=2 face="sans-serif">E.g. many home-routers do have a setting
called "SPI forwarding" or some such. </font>
<br><font size=2 face="sans-serif">SPI in this case stands for "Security
Parameter Index", not to confuse with with SPI = "Stateful Packet
Inspection", as some manufacturers call their firewalling.</font>
<br><font size=2 face="sans-serif">AFAIK, SPI forwarding enables NATing
of a single IPSec connection, when one of the peers does not support NAT-T.</font>
<br>
<br><font size=2 face="sans-serif">If yout NAT device is configured for
SPI forwarding, try deactivating that.</font>
<br>
<br><font size=2 face="sans-serif">Best Regards,</font>
<br><font size=2 face="sans-serif">Frank<br>
</font>
<br><tt><font size=2>users-bounces@openswan.org schrieb am 22.02.2010 20:41:34:<br>
<br>
> Dmitriy Samovskiy <dmitriy04111@gmail.com> </font></tt>
<br><tt><font size=2>> Gesendet von: users-bounces@openswan.org<br>
> </font></tt>
<br><tt><font size=2>> 22.02.2010 20:41</font></tt>
<br><tt><font size=2>> <br>
> Bitte antworten an<br>
> dmitriy@somic.org</font></tt>
<br><tt><font size=2>> <br>
> An</font></tt>
<br><tt><font size=2>> <br>
> Paul Wouters <paul@xelerance.com>, users@openswan.org</font></tt>
<br><tt><font size=2>> <br>
> Kopie</font></tt>
<br><tt><font size=2>> <br>
> Thema</font></tt>
<br><tt><font size=2>> <br>
> Re: [Openswan Users] Openswan + NAT-T + Checkpoint NGX</font></tt>
<br><tt><font size=2>> <br>
> Thanks for your quick reply, Paul.<br>
> <br>
> >> The problem is that the tunnel gets established but it ends
up using<br>
> >> regular ESP (proto 50):<br>
> >><br>
> >> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff<br>
> >> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}<br>
> ><br>
> > Did the vendorids now show that NAT-T was negotiated?<br>
> <br>
> This may sound like a stupid question but how can I find it out?<br>
> <br>
> With tunnels to Cisco, I sometimes see in logs "ignoring Vendor
ID<br>
> payload" lines but I don't have them with Checkpoint, even with<br>
> plutodebug="all".<br>
> <br>
> > Does the checkpoint allow NAT-T for other clients? Or from other
locations?<br>
> <br>
> Checkpoint GUI has NAT-T checkbox checked, that's all I know. I doubt<br>
> they have other NAT-T tunnels but getting this fact doouble checked<br>
> now.<br>
> <br>
> Thanks,<br>
> Dmitriy<br>
> _______________________________________________<br>
> Users@openswan.org<br>
> </font></tt><a href=http://lists.openswan.org/mailman/listinfo/users><tt><font size=2>http://lists.openswan.org/mailman/listinfo/users</font></tt></a><tt><font size=2><br>
> Building and Integrating Virtual Private Networks with Openswan: <br>
> </font></tt><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"><tt><font size=2>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</font></tt></a><tt><font size=2><br>
</font></tt>