[Openswan Users] CISCO heartburn turns in to WatchGuard heartburn

Jeff Herring jeffh at sldsi.com
Wed Feb 2 11:28:59 CET 2005

Setting nat_traversal=yes did the trick for the Ciscos AND broke all of
my tunnels to WatchGaurd fireboxes...

Now it looks like the WatchGaurds are doing nat even though I don't want it.
i.e. Now pings go out esp packets but come back udp 4500...

Anyone have any ideas? I guess there is no way to tunnel by tunnel turn off 

-Jeff H.

At 08:57 AM 1/30/2005, Lorens Kockum wrote:
>On Sat, Jan 29, 2005 at 05:33:59PM +0100, Paul Wouters wrote:
> > On Fri, 28 Jan 2005, Jeff Herring wrote:
> >
> > >I've updated to 2.3 / patched a 2.4.29 kernel / I have 30 tunnels working
> > >except 2
> > >that both have Cisco equipment and this error when connecting...Other
> > >Cisco equipment works
> > >Other none cisco stuff works...
> > >
> > >protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> > >
> > >I've tried...leftprotoport=17/500 & rightprotoport=17/500 with no luck...
> >
> > Try leftprotoport=17/0 or 17/%any (one of the two was a workaround, the
> > other is the
> > real solution, but I forgot which is which :)
>Sorry, but no. Maybe this worked in Openswan 1, but not in 2.2
>or 2.3, as I said earlier this week on this list in two messages
>         Re: [Openswan Users] incomplete ISAKMP SA ...
>Since nobody replied to my first message, I delved into the
>source, and after inspection the place where the error is
>generated at the beginning of function decode_peer_id in
>openswan-2/programs/pluto/ipsec_doi.c, and comparing the code
>in openswan 1 and 2, I concluded that it is necessary and
>sufficient to define nat_traversal=yes in the config setup.
>I did this, as I said I would in my second message, and had no
>further problems.
>I did not need leftprotoport or rightprotoport, my tunnel to the
>PIX goes up and transports packets using only
>     type=tunnel
>     authby=secret
>     left=xxxx
>     leftsubnet=xxxx
>     right=xxxx
>     rightsubnet=xxxx
>     auto=start
>Maybe needing nat_traversal=yes is justified because of NAT
>being set up on the Cisco end?
>#include <std_disclaim.h>                          Lorens Kockum
>Users mailing list
>Users at openswan.org

Jeff Herring  /  jeffh at sldsi.com
Seacoast Laboratory Data Systems, Inc.

More information about the Users mailing list