[Openswan Users] NAT-T incorrect behaviours

Paul Wouters paul at xelerance.com
Fri Oct 29 01:33:53 CEST 2004

On Fri, 29 Oct 2004, Albert Agusti wrote:

> In my scenario, the two ipsec gateways are behind nat DSL router. None
> of the routers is doing ipsec passthrough, but both forward incoming
> packets on the outbound interfaces directed to udp 500 and udp 4500 to
> the Linux ipsec gateway that is behind them.
> Linux1------DSL 1--------Internet-----------DSL 1------Linux2
> The idea is that any of the Linux ipsec sees remote end on valid IP
> address of remote DSL router.
> Both can act as Initiator or responder and it works. And now without
> rekey problems (Andreas Steffen patch)
> The problem arises when the side that initiated goes down and tries to
> reconnect. Remote (Responder) does not act as the first successfull
> attempt, and until ipsec is restarted at his side (ipsec) does not
> authorize the connection. (problem 2)

Okay, in that case, just enable Dead Peer Detection (DPD). Add to your
connection definition on both sides:


> Is there a newer patch from Andreas ? or is the one that solved
> rekeying?

That's the one.


More information about the Users mailing list