[Openswan dev] Question about UDP in ESP encapsulation in Openswan
Kevin Wilson
wkevils at gmail.com
Tue Oct 26 15:45:34 EDT 2010
Hi,
I tried to delve into openswan code (especially pluto).
I have a question, if I may, about UDP in ESP encapsulation in openswan:
As far as I understand, when adding nat-traversal=yes to ipsec.conf
and when both sides are behind NAT,
the following should happen:
ISAKAMP messages will be send with UDP encapsulation on port 4500
KeepAlive messages will be send with UDP encapsulation on port 4500
(with keep alive, the UDP payload is one byte, 0xff).
As far as I understand, openswan usespace pluto daemon is opening
sockets and sends these two types packets.
My question is about regular traffic - suppose i have a tunnel
between two peers behind a NAT and I have
at-traversal=yes in ipsec.conf and I start to transmit UDP or TCP or
ICMP from sockets I open in my user space application.
This traffic also should have UDP encapsulation for NAT-T ; who
performs this ? is it a job done by the kernel ? who tells the kernel
that the traffic should be UDP encapsulated for NAT-T ? or is it done
by openswan (I believe it ain't so).
I would appreciate, in case the first answer is the one, if somebody
can point me -
1) Where in the kernel such encapsulation is done ?
2) How does the kernel know about this task ? is it some flag in
the SA (xfrm policy )?
Rgs,
Kevin
More information about the Dev
mailing list