[Openswan Users] Multiple aliases per IF, bind to one
paul at xelerance.com
Thu Jun 9 22:12:52 CEST 2005
On Thu, 9 Jun 2005, Gary W. Smith wrote:
> But when I do a netstat I see that ipsec is listening on all interfaces on all IP's.
> udp 0 0 18.104.22.168:4500 0.0.0.0:*
> udp 0 0 22.214.171.124:4500 0.0.0.0:*
> udp 0 0 126.96.36.199:4500 0.0.0.0:*
> ... <skip another 90 entries>
> udp 0 0 188.8.131.52:4500 0.0.0.0:*
That is expected behaviour.
> The problem is that these additional aliases are NAT'd internal to a DMZ. We noticed a problem with this beause we have a service running on port 4500
You shouldn't. Port 4500 is listed at IANA :
ipsec-nat-t 4500/tcp IPsec NAT-Traversal
ipsec-nat-t 4500/udp IPsec NAT-Traversal
> Does this make sense? Is it possible to limit it in this way with OpenSwan? I think this is also good practice to limit to what you want from both a security and resource standpoint.
The issue here is that pluto should pick up new IP addresses from non-permanent
links, such as serial/ppp/pptp/adsl/pppoe links. Therefor it listens to
More information about the Users