[Openswan dev] Re: IPSec nat-t behavior

[Paul Wouters]

On Sat, 18 Feb 2006, Pjothi wrote:

> I have been setting up IPSec nat-t in tunnel mode in a LAN test
> environment using Suse Linux 10 which uses openswan.
>
> A ------------- B ------------------- C
>
> B and C belong to same subnet.
>
> I would like to establish IPSec between A and C which belong to
> different subnets. So I use iptables SNAT in between which basically
> NATs address A to address B. nat-t works fine but also exhibits
> strange behavior.
>
> 1. Sometimes there is normal behaviour (mostly the first time) that A
> realizes its behind a NAT and establishes SA with C, using udp
> encpasulation.
>
> 2. The second time I bootstrap IPSec,  A responds, both are NATed.
> Even if I disable NAT in between still I get the same response that
> both are NATed. Sometimes it doesnt recognize the NAT at all.
>
> I believe the reason is that some session establishment is cached and
> complete NAT-D (nat-discovery) is not happening everytime. Should I be
> clearing any cache before I restart IPSec so that the complete NAT-D
> is done everytime or what could be the reasons for this abnormal
> behaviour.
>
> Any inputs well be useful and greatly appreciated.

Which version of openswan is this?
Can you try this with openswan-2.4.5.rcX and see if it is still there?
I will try to write a testcase to see if this behaviour can be
reproduced.

Paul