[Openswan dev] openswan 2.4.8 Klips natt psk on kernel 2.4
Mark-Andre Hopf
mhopf at innominate.com
Fri Jul 20 09:11:50 EDT 2007
On Fri 20.07. 15:08, Mark-Andre Hopf wrote:
> On Fri 20.07. 13:50, Ioana Tecuceanu wrote:
>
> > I am using openswan 2.4.8 with klips and i am trying to establish an ipsec
> > tunnel from a natted server to a non-natted client. i am using pre shared
> > keys.
> >
> > this appears in my log
> > Why the hell is someone passing me a non-ipsec protocol = 17 packet? --
> > dropped.
> >
> > does anyone know if this is an openswan bug or smth like that?
>
> Protocol 17 aka. UDP is used by IPsec NAT-T, a mechanism required to
> traverse NAT gateways. When a NAT gateway is detected IPsec IKE protocol
> (UDP on port 500) and ESP both switch to UDP on port 4500.
>
> You may want to adjust your firewall.
Oh, and when you use NAT, the non-NATed peer must use '%any' as the remote
gateway AND ( aggressive mode OR X.509 certificates instead of PSKs).
Mark
--
mark-andre.hopf at innominate.com
senior software engineer innominate security technologies AG
development protecting industrial networks
tel: +49.30.6392-3284 fax: -3307 http://innominate.com
Alexander Graham Bell is alive and well in New York, and still waiting
for a dial tone.
More information about the Dev
mailing list