[Openswan Users] Multiple aliases per IF, bind to one
Paul Wouters
paul at xelerance.com
Thu Jun 9 22:12:52 CEST 2005
On Thu, 9 Jun 2005, Gary W. Smith wrote:
> But when I do a netstat I see that ipsec is listening on all interfaces on all IP's.
>
> udp 0 0 198.22.33.36:4500 0.0.0.0:*
> udp 0 0 198.22.33.37:4500 0.0.0.0:*
> udp 0 0 198.22.33.38:4500 0.0.0.0:*
> ... <skip another 90 entries>
> udp 0 0 198.22.33.122:4500 0.0.0.0:*
That is expected behaviour.
> The problem is that these additional aliases are NAT'd internal to a DMZ. We noticed a problem with this beause we have a service running on port 4500
You shouldn't. Port 4500 is listed at IANA :
http://www.iana.org/assignments/port-numbers
ipsec-nat-t 4500/tcp IPsec NAT-Traversal
ipsec-nat-t 4500/udp IPsec NAT-Traversal
# [RFC3947]
> Does this make sense? Is it possible to limit it in this way with OpenSwan? I think this is also good practice to limit to what you want from both a security and resource standpoint.
The issue here is that pluto should pick up new IP addresses from non-permanent
links, such as serial/ppp/pptp/adsl/pppoe links. Therefor it listens to
INADDR_ANY.
Paul
More information about the Users
mailing list