[Openswan dev] openswan 2.4.8 Klips natt psk on kernel 2.4

Mark-Andre Hopf mhopf at innominate.com
Fri Jul 20 09:11:50 EDT 2007

On Fri 20.07. 15:08, Mark-Andre Hopf wrote:
> On Fri 20.07. 13:50, Ioana Tecuceanu wrote:
> > I am using openswan 2.4.8 with klips and i am trying to establish an ipsec 
> > tunnel from a natted server to a non-natted client. i am using pre shared 
> > keys.
> > 
> > this appears in my log
> > Why the hell is someone passing me a non-ipsec protocol = 17 packet? -- 
> > dropped.
> > 
> > does anyone know if this is an openswan bug or smth like that? 
> Protocol 17 aka. UDP is used by IPsec NAT-T, a mechanism required to
> traverse NAT gateways. When a NAT gateway is detected IPsec IKE protocol
> (UDP on port 500) and ESP both switch to UDP on port 4500.
> You may want to adjust your firewall.

Oh, and when you use NAT, the non-NATed peer must use '%any' as the remote
gateway AND ( aggressive mode OR X.509 certificates instead of PSKs).


mark-andre.hopf at innominate.com
senior software engineer           innominate security technologies AG
development                             protecting industrial networks
tel: +49.30.6392-3284  fax: -3307                http://innominate.com
Alexander Graham Bell is alive and well in New York, and still waiting
for a dial tone.

More information about the Dev mailing list