[Openswan dev] NAT-T in the face of changing IPs
Michael Richardson
mcr at sandelman.ottawa.on.ca
Wed Jul 25 00:21:05 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here on the IETF hotel LAN, I noticed that my IPsec tunnels stopped
working to my SOHO, but some other tunnels remained up. After doing
some multi-hop SSH logins, I tcpdump'ed as follows from the remote end:
00:16:48.267254 IP 67.97.210.3.500 > 205.150.200.246.500: isakmp: phase 1 I ident
00:16:48.293630 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:48.344292 IP 67.97.210.3.500 > 205.150.200.246.500: isakmp: phase 1 I ident
00:16:48.351657 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:48.447608 IP 67.97.210.2.5029 > 205.150.200.246.4500: NONESP-encap: isakmp: phase 1 ? ident[E]
00:16:58.442295 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:58.486046 IP 67.97.210.2.5029 > 205.150.200.246.4500: NONESP-encap: isakmp: phase 1 ? ident[E]
Note that packets to port 500 are coming from 67.97.210.3.500, while
packets to port 4500 are coming from 67.97.210.2.5029.
I.e. a different UDP port. Apparently, this is a problem for openswan.
Was this a case that I just didn't code for, or is this a gap in the
specification?
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRqbPqoCLcPvd0N1lAQK2LggArnil82LcQ0wOEH+cCEPc3oDvmlG300h5
4kWtwv/JpyeL8PGNENfEuCqW69gvZyru78anHsrmnzLUIyCOt2bs7fcgu4nDmFX9
kbKQdyuI7u/FlcUnsweyrEQ8gII017mTiEzs26/pC4frbejTv4y0ty2JR1YzinTI
McWe4SXf9h21QCy5bWENsoKzB1krgXoZ9E8xJwmSYBWqi5CIazshAoo1fP14WeMk
fo0D2uwipl/bFX9WG2X5W7WpEol/fxMdjvEkg7tZ7VpiBLPItmkT0iFNTC09Zizw
tmuGAJD+RVEQh/l5g36JkRnLy5HbJX9Cj7H9hoqjBQOMDPzXDYpqEg==
=5ZjR
-----END PGP SIGNATURE-----
More information about the Dev
mailing list