[Openswan Users] Problem with XP SP2 and NAT-T

Olivier JAVAUX olivier.javaux at ib-group.com
Thu Nov 11 11:40:41 CET 2004


Hello,

I am trying to set a tunnel with NAT-T between an OpenSwan gateway
   and a roadwarrior with Windows XP SP2
(I had already done ESP tunnel between FreeSwan and XP SP1)

I don't succeed to establish the tunnel.

After investigation, I think that I have identified the problem.
During the protocol initialization, Windows tries to send a very big packet (1596 bytes) :
   11-11: 11:26:10:361:36c Sending: SA = 0x000C9048 to 213.56.232.64:Type 2.4500
   11-11: 11:26:10:361:36c ISAKMP Header: (V1.0), len = 1596
   11-11: 11:26:10:361:36c   I-COOKIE bbbfd174b88f6885
   11-11: 11:26:10:361:36c   R-COOKIE ba02b5aa59dab9e6
   11-11: 11:26:10:361:36c   exchange: Oakley Main Mode
   11-11: 11:26:10:361:36c   flags: 1 ( encrypted )
   11-11: 11:26:10:361:36c   next payload: ID
   11-11: 11:26:10:361:36c   message ID: 00000000
   11-11: 11:26:10:361:36c Ports S:9411 D:9411
   11-11: 11:26:10:932:5e0 retransmit: sa = 000C9048 centry 00000000 , count = 1
This packet is then fragmented, with an initial packet according the MTU and
   a IP fragment following.
These two packets never reach my gateway.

Why windows has to send 1596 bytes for a SA ?????
Is there a way to avoid this IP fragmentation ?????

Thx for your help.




More information about the Users mailing list