[Openswan Users] About NAT-T on Openswan

Paul Wouters paul at xelerance.com
Mon Jun 13 16:04:52 CEST 2005

On Sun, 12 Jun 2005, Zheng Chuanbo wrote:

> (openswan2.3)        (redhat 9.0)                (openswan2.3)
> NAT client=====>       NAT device       ======> NAT server
> The nat translations is on a redhat9.0, the command is as follows,
> 	iptables -I POSTROUTING -t nat -s -j SNAT --to

add -d \! just to be safe?

> During the setup of the connection, the tcpdump output is as follows,

that does not give us any information. log files are more useful

> On 'ipsec spi' also gave a similar result as above. When run ping
> from to, on with tcpdump I got,
> 	21:07:38.823063 > ESP(spi=0x9f38491f,seq=0x1)
ESP packets, so no NAT was detected or supported.

> So my questions is,
> 1) Is the ipsec connection really setup? But why there are no responds?

Use ipsec eroute (if using klips) to see if it  is really up, but seeing that
you get ESP packets it seems to be the case.

> 2) According to rfc3947, the port of ISAKMP should be changed from 500 to 4500
> if NAT was detected. But from the tcpdump output, it seemed that the port was
> not changed. So is nat-t really happened on the connection above?

right. check the logs why. Probably one of the machines does not support NAT-T
and nat-t was disabled?


More information about the Users mailing list