[Openswan Users] NAT-T on ports != [500,4500]

Ronald Moesbergen Ronald.Moesbergen at bkvision.nl
Tue Feb 8 14:49:37 CET 2005


Hi,
 
Another question: Is it allowed for NAT-T to negotiate ports other than
500 or 4500? I see the following between an XPSP2 client and
openswan-cvs:
 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
| NAT-T: new mapping 82.136.251.70:12091/12092)
IPsec SA established {ESP=>0xb120db61 <0x73189476 NATD=82.136.251.70}

As you can see none of the ports used are 4500 or 500 and this presents
a problem with my firewall. The ipsec sa is established, but no traffic
can come in because it is blocked by the firewall. If it's possible for
NAT-T to use any port on the server side, then I must open every port in
my firewall which isn't nice ... I've read a lot of docs about NAT-T and
they all state that it must use port 4500/udp on the server side. Any
clues why this happens?

Thanks,
Ronald.



More information about the Users mailing list