[Openswan Users] NAT-T on ports != [500,4500]
Ronald Moesbergen
Ronald.Moesbergen at bkvision.nl
Tue Feb 8 14:49:37 CET 2005
Hi,
Another question: Is it allowed for NAT-T to negotiate ports other than
500 or 4500? I see the following between an XPSP2 client and
openswan-cvs:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
| NAT-T: new mapping 82.136.251.70:12091/12092)
IPsec SA established {ESP=>0xb120db61 <0x73189476 NATD=82.136.251.70}
As you can see none of the ports used are 4500 or 500 and this presents
a problem with my firewall. The ipsec sa is established, but no traffic
can come in because it is blocked by the firewall. If it's possible for
NAT-T to use any port on the server side, then I must open every port in
my firewall which isn't nice ... I've read a lot of docs about NAT-T and
they all state that it must use port 4500/udp on the server side. Any
clues why this happens?
Thanks,
Ronald.
More information about the Users
mailing list