[Openswan Users] Cisco and Freeswan (outgoing requests to ports > 1024)

[Alessandro Macuz]

Hi all,

we have built a IPsec connection with PSK between a Cisco PIX525 and Freeswan.
All things went OK till we discovered Linuxbox has difficulties to initiate communication towards 
devices on the other side.

We built 2 tunnels  between a LAN a 2 servers

192.168.41.0/24 <-->public IP<-------Internet cloud------->public IP<--> 10.146.10.82/32
192.168.41.0/24 <-->public IP<-------Internet cloud------->public IP<--> 10.146.12.67/32

The strange behaviour is that pinging from one of 10.146.xxx PCs gets the tunnel up but when the 
first server try to contact another server put in the LAN the tunnel doesn't go up.
Somebody told me SQLnet port (1521) is higher then standard 1024 for outgoing communications and 
Linux box considers it like not a tentive to communicate to the other part (it seems very strange to 
me).
Other people told me I must investigate about timeouts (Freeswan can not set it greater than 480 
minutesand and if it finds a different value on the other side there could be problems)

I've been working with another guy who manages the Linux box so I've not available the configuration.

Another question:

are pfs and diffie-helmann group parameters independent?
I know the default in Freeswan is PFS yes and D-H group = 2 (1024 bits) but which is the different 
between declaring pfs=yes and not declaring in ipsec.conf


Thanks for your attention,

Alex.