[Openswan Users] Advanced 2.6 Routing

Travis Groth lists at netfoo.org
Thu Jul 1 03:36:33 CEST 2004


I figured it out.  I was being bitten by the IPSsec/NAT problem where
you have to explicitly exclude ESP/AH from being NATed.  I discovered
this when I watched tcpdumps and realized that if i was (for instance)
trying to connect to port 80 on the far side of the tunnel, the response
would come back from port 1.  Something about allowing ESP to pass
through NAT (even though its address doesn't get changed) messes with
the source port number during replies, which messes up the handshake. 
See  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215980  for
slightly better info.


--Travis



More information about the Users mailing list