[Openswan Users] Just 2 questions

Paul Wouters paul at xelerance.com
Mon Aug 22 23:36:01 CEST 2005


On Mon, 22 Aug 2005, Vincent Schultz wrote:

>> You are missing rules for udp 4500 (IKE with NAT-T). Remember the source
>> port for these are mostly not 4500 but a random high port.
>
> Actually, my network is a network test in local, I do not have any NAT
> device so no need to do Nat-T ... am i right ?

right.

> No no, that's the problem. I don't know where I did a mistake. Here is
> my firewall script on the secure gateway 152.18.31.45 (the other one is
> 152.18.31.45) :

> ... So the OUPUT policy is DROP ! I have no rule for OUTPUT ESP and the
> log show nothing.

I guess then this is because of the exact hook of the NETKEY code. Just like
tcpdump cannot "see" the ESP packets, perhaps the iptables firewall can also
only see the plaintext packets before encryption, and not after encryption.

Paul


More information about the Users mailing list