[Openswan dev] Tunnel in a tunnel : Magic behaviour

Francis GASCHET fg at numlog.fr
Wed Mar 9 15:21:38 CET 2005

Paul Wouters wrote:

> On Wed, 9 Mar 2005, Francis GASCHET wrote:
>> We are using "super-freeswan-" in our FireWall product (FWB 
>> family).
> time to upgrade?

May be some day !!!

>> One of our customers uses that gateway in his office and the Greenbow 
>> IPSEC client on his portable PC.
> Any modern NAT-T will not wokr on that old superfreeswan.

Yes it works, but the first exchange is through the UDP port 500. So it 
doesn't solve the problem here as the Zyxel catches that packets 
(confirmed by Zyxel support)...

> [ tunnel through tunnel ]
> There is no reason why that wouldn't work. I regularly run tunnels within
> tunnels. They're production grade stable tunnels.
Agreed. There is no reason that forbid to carry esp in a tunnel. Just in 
that case, both tunnels (exterior and private one) arrive in the same 

> The simplest 'how' involves removing any device that takes packets not
> destined for itself.  Since the Zyxcel is playing a difficult game, this
> takes a lot of resources to debug and/or work around.
> Paul
But in the real life, it's not that easy to explain to your customer 
(who has just bought your box) that he has to ask to his own customer to 
change its stupid firewall !!!

Thank's anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4991 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/dev/attachments/20050309/028471c9/smime.bin

More information about the Dev mailing list