[Openswan Users] About NAT-T on Openswan

Zheng Chuanbo zhengcb at netpower.com.cn
Sun Jun 12 23:12:29 CEST 2005


I tried NAT-t in Openswan but failed.  I guess there were some mistakes 
in my procedure. The configuration is as flollows,
(openswan2.3)        (redhat 9.0)                (openswan2.3)
NAT client=====>       NAT device       ======> NAT server

The nat translations is on a redhat9.0, the command is as follows,
	iptables -I POSTROUTING -t nat -s -j SNAT --to

After start the ipsec on both the server and the client, the ipsec 
connections 'seemed' to setup successfully. 

During the setup of the connection, the tcpdump output is as follows,
21:02:33.742610 arp who-has tell
21:02:33.742621 arp reply is-at 0:d0:43:7a:c1:fe
21:02:40.164675 > isakmp: phase 1 I ident: [|sa] (DF)
21:02:40.164909 > isakmp: phase 1 R ident: [|sa] (DF)
21:02:40.187829 > isakmp: phase 1 I ident: [|ke] (DF)
21:02:40.204920 > isakmp: phase 1 R ident: [|ke] (DF)
21:02:40.219628 > isakmp: phase 1 I ident[E]: [encrypted id] (DF)
21:02:40.226188 > isakmp: phase 1 R ident[E]: [encrypted id] (DF)
21:02:40.287085 > isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] (DF)
21:02:40.304568 > isakmp: phase 2/others R oakley-quick[E]: [encrypted hash] (DF)
21:02:40.357458 > isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] (DF)

On, wih 'ipsec spi',
esp0x3a0c7400 at ESP_3DES_HMAC_MD5: dir=out src= iv_bits=64bits iv=0x8b69bc332048d0df ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(3207,0,0) refcount=4 ref=5433
esp0x9f38491f at ESP_3DES_HMAC_MD5: dir=in  src= iv_bits=64bits iv=0xce4ea9639d4fcd19 ooowin=64 seq=29 bit=0x1fffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(3016,0,0)addtime(3207,0,0)usetime(2909,0,0)packets(29,0,0) idle=2881 refcount=33 ref=5428
tun0x1004 at IPIP: dir=out src= life(c,s,h)=addtime(3207,0,0) refcount=4 ref=5432
tun0x1003 at IPIP: dir=in  src= policy=> flags=0x8<> life(c,s,h)=bytes(3016,0,0)addtime(3207,0,0)usetime(2909,0,0)packets(29,0,0) idle=2881 refcount=4 ref=5427

On 'ipsec spi' also gave a similar result as above. When run ping
from to, on with tcpdump I got,
	21:07:38.823063 > ESP(spi=0x9f38491f,seq=0x1)
	21:07:39.834683 > ESP(spi=0x9f38491f,seq=0x2)
	21:07:40.834629 > ESP(spi=0x9f38491f,seq=0x3)
But never got any respond packets. UDP was also tried, and it is 
the same.

So my questions is,
1) Is the ipsec connection really setup? But why there are no responds?

2) According to rfc3947, the port of ISAKMP should be changed from 500 to 4500 
if NAT was detected. But from the tcpdump output, it seemed that the port was
not changed. So is nat-t really happened on the connection above?

3) I also tried to connect winxp(with sp2) to the server, with NAT between 
them. It also failed. So I think I should tried two openswan host first. 
Is there any instructions on the NAT-T of winxp and openswan?

Thanks. Please cc.


Jack zheng

zhengchuanbo at sina.com

More information about the Users mailing list