[Openswan Users] About NAT-T on Openswan
paul at xelerance.com
Mon Jun 13 16:04:52 CEST 2005
On Sun, 12 Jun 2005, Zheng Chuanbo wrote:
> 10.0.0.183 10.0.0.1 192.168.0.183 192.168.0.137
> (openswan2.3) (redhat 9.0) (openswan2.3)
> NAT client=====> NAT device ======> NAT server
> The nat translations is on a redhat9.0, the command is as follows,
> iptables -I POSTROUTING -t nat -s 10.0.0.0/24 -j SNAT --to 192.168.0.183
add -d \! 192.168.0.0/16 just to be safe?
> During the setup of the connection, the tcpdump output is as follows,
that does not give us any information. log files are more useful
> On 10.0.0.183 'ipsec spi' also gave a similar result as above. When run ping
> from 10.0.0.183 to 192.168.0.137, on 192.168.0.137 with tcpdump I got,
> 21:07:38.823063 192.168.0.183 > 192.168.0.137: ESP(spi=0x9f38491f,seq=0x1)
ESP packets, so no NAT was detected or supported.
> So my questions is,
> 1) Is the ipsec connection really setup? But why there are no responds?
Use ipsec eroute (if using klips) to see if it is really up, but seeing that
you get ESP packets it seems to be the case.
> 2) According to rfc3947, the port of ISAKMP should be changed from 500 to 4500
> if NAT was detected. But from the tcpdump output, it seemed that the port was
> not changed. So is nat-t really happened on the connection above?
right. check the logs why. Probably one of the machines does not support NAT-T
and nat-t was disabled?
More information about the Users