[Openswan dev] NAT-T in the face of changing IPs

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Jul 25 00:21:05 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Here on the IETF hotel LAN, I noticed that my IPsec tunnels stopped
working to my SOHO, but some other tunnels remained up.  After doing
some multi-hop SSH logins, I tcpdump'ed as follows from the remote end:

00:16:48.267254 IP 67.97.210.3.500 > 205.150.200.246.500: isakmp: phase 1 I ident
00:16:48.293630 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:48.344292 IP 67.97.210.3.500 > 205.150.200.246.500: isakmp: phase 1 I ident
00:16:48.351657 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:48.447608 IP 67.97.210.2.5029 > 205.150.200.246.4500: NONESP-encap: isakmp: phase 1 ? ident[E]
00:16:58.442295 IP 205.150.200.246.500 > 67.97.210.3.500: isakmp: phase 1 R ident
00:16:58.486046 IP 67.97.210.2.5029 > 205.150.200.246.4500: NONESP-encap: isakmp: phase 1 ? ident[E]

Note that packets to port 500 are coming from 67.97.210.3.500, while
packets to port 4500 are coming from 67.97.210.2.5029.

I.e. a different UDP port.  Apparently, this is a problem for openswan.

Was this a case that I just didn't code for, or is this a gap in the
specification? 

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRqbPqoCLcPvd0N1lAQK2LggArnil82LcQ0wOEH+cCEPc3oDvmlG300h5
4kWtwv/JpyeL8PGNENfEuCqW69gvZyru78anHsrmnzLUIyCOt2bs7fcgu4nDmFX9
kbKQdyuI7u/FlcUnsweyrEQ8gII017mTiEzs26/pC4frbejTv4y0ty2JR1YzinTI
McWe4SXf9h21QCy5bWENsoKzB1krgXoZ9E8xJwmSYBWqi5CIazshAoo1fP14WeMk
fo0D2uwipl/bFX9WG2X5W7WpEol/fxMdjvEkg7tZ7VpiBLPItmkT0iFNTC09Zizw
tmuGAJD+RVEQh/l5g36JkRnLy5HbJX9Cj7H9hoqjBQOMDPzXDYpqEg==
=5ZjR
-----END PGP SIGNATURE-----

More information about the Dev mailing list