[Openswan dev] NAT-T in the face of changing IPs

Paul Wouters paul at xelerance.com
Wed Jul 25 11:14:40 EDT 2007

On Tue, 24 Jul 2007, Michael Richardson wrote:

> Note that packets to port 500 are coming from, while
> packets to port 4500 are coming from
> I.e. a different UDP port.  Apparently, this is a problem for openswan.
> Was this a case that I just didn't code for, or is this a gap in the
> specification?

This has come up in the past. I believe the right thing to do is to junk
the UDP header completely. Why are we doing any authentication on it? It's
just a carrier pigeon.

Decapsulate the packet into an ESP packet, and then do normal processing
on that.


More information about the Dev mailing list