[Openswan dev] NAT-T in the face of changing IPs
Paul Wouters
paul at xelerance.com
Wed Jul 25 11:14:40 EDT 2007
On Tue, 24 Jul 2007, Michael Richardson wrote:
> Note that packets to port 500 are coming from 67.97.210.3.500, while
> packets to port 4500 are coming from 67.97.210.2.5029.
>
> I.e. a different UDP port. Apparently, this is a problem for openswan.
>
> Was this a case that I just didn't code for, or is this a gap in the
> specification?
This has come up in the past. I believe the right thing to do is to junk
the UDP header completely. Why are we doing any authentication on it? It's
just a carrier pigeon.
Decapsulate the packet into an ESP packet, and then do normal processing
on that.
Paul
More information about the Dev
mailing list