[Openswan Users] NAT-T incorrect behaviours

Paul Wouters paul at xelerance.com
Thu Oct 28 22:56:05 CEST 2004

On Thu, 28 Oct 2004, albert agusti wrote:

> Is someone taking a look at NAT-T problems I reported some days ago ?

We did.

> 1- Responder behind a NAT IS NOT CAPABLE to respond to connections from
> a remote end if this is behind a NAT too and the NATTing device FLOATS
> UDP ORIGIN PORT to some other port than 500.
> This is suposed to be one of NAT TRAVERSAL fetatures and It does not
> work.

I do not understand a 'responder behind nat' (unless this is after a rekey,
see 2). Is that using port forwarding/passthrough? you can't be a responder
behind nat, unless it is a rekey and the IKE channel already exists as a
result of being an initiator on the first round.

> 2-After a correct tunnel is stablished between two hosts behind NAT
> (both), if the Initiator reboots (or restarts ipsec) tunnel is NEVER
> RECOVERED again until a reboot on Responder side or (ipsec restart) is
> isued.

This issue has been fixed in CVS. Patch was submitted by Andreas Steffen.
Try a 2.3.0dr candidate or cvs HEAD.


More information about the Users mailing list