[Openswan Users] Advanced 2.6 Routing
Travis Groth
lists at netfoo.org
Thu Jul 1 03:36:33 CEST 2004
I figured it out. I was being bitten by the IPSsec/NAT problem where
you have to explicitly exclude ESP/AH from being NATed. I discovered
this when I watched tcpdumps and realized that if i was (for instance)
trying to connect to port 80 on the far side of the tunnel, the response
would come back from port 1. Something about allowing ESP to pass
through NAT (even though its address doesn't get changed) messes with
the source port number during replies, which messes up the handshake.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215980 for
slightly better info.
--Travis
More information about the Users
mailing list