[Openswan Users] incomplete ISAKMP SA ...

Lorens Kockum openswan-users-254 at lists.lorens.org
Tue Jan 25 17:35:51 CET 2005


On Tue, Jan 25, 2005 at 02:17:50PM +0100, Lorens Kockum wrote:
> I thought that maybe "A workaround for this was added recently."
> said in March 2004 might not have made it into 2.2.0, so I've
> upgraded to 2.3.0.

In fact it seems that a patch made it into openswan 1 in March
2004:

http://anoncvs.openswan.org/cgi-bin/viewcvs.cgi/openswan-1/pluto/ipsec_doi.c?r1=1.63&r2=1.64

Still there in last version 1.66.

In the corresponding place in openswan 2, there is a big ifdef
for nat traversal which would authorize the PIX if

	st->hidden_variables.st_nat_traversal & NAT_T_WITH_PORT_FLOATING

I don't use NAT. Maybe the PIX uses it for other tunnels than
mine, or maybe my tunnel is natted on the PIX side of things.
I'll try enabling NAT traversal with some kind of static same-IP
non-translation . . .

-- 
#include <std_disclaim.h>                          Lorens Kockum


More information about the Users mailing list