[Openswan Users] NAT-T on ports != [500,4500] (fwd)

Ken Bantoft ken at xelerance.com
Sat Feb 12 17:54:35 CET 2005

Hi Ronald,

Try  CVS HEAD now, aka 2.3.1dr2, which fixes a NAT-T rekey bug in pluto.

Ronald Moesbergen wrote:

>I gathered some more info on this:
>I have now confirmed that when using 2.3.0-plain all clients can connect
>without trouble, but get disconnected after 2 hours and then can't
>reconnect. If I use 2.3.0-cvs, 2 clients can still connect without
>problems and even for more than 2 hours, but the third one has the
>problem described below and can't connect at all (endless 'IPSec SA
>Established' loop). I also tried using KLIPS with kernel 2.4.29 en
>2.3.0-cvs, but then the exact same problem occurs, the other 2 clients
>can still connect without trouble, the one client still cannot. I also
>noticed that when using 2.3.0-plain I get:
>IPsec SA established {ESP/NAT=>0x61c59236 <0xb104023a NATOA=}
>(Connection works)
>when using CVS I get:
>IPsec SA established {ESP=>0x946eee0a <0x8b4c0373 NATD=}
>(Connection fails)
>Hope this helps to narrow it down. Thanks,

More information about the Users mailing list