[Openswan Users] NAT Problem
Jacco de Leeuw
jacco2 at dds.nl
Thu May 12 10:39:30 CEST 2005
Tom Hughes wrote:
> After that nothing more happens - tcpdump shows the gateway sending
> more IKE packets to him but we get no response. This has never been
> a problem in the past - before the upgrade he was able to use tunnel
> mode with the IPSEC passthrough in his router just fine so IKE traffic
> normally gets through.
NAT-T and IPsec passthrough are incompatible. If you prefer to use the
router's IPsec passthrough, you will have to disable NAT-T.
> May 11 11:51:06 gate kernel: martian source yyy.yyy.yyy.yyy from 192.168.0.2, on dev eth0
> May 11 11:51:06 gate kernel: ll header: 00:e0:29:52:b0:9b:00:01:96:a9:63:80:08:00
> I have made sure rp_filter is turned off for all interfaces.
I have not seen this error in Openswan because Openswan clear rp_filter
automatically. So I don't know what is going on here.
> So currently he can't get connected at all from behind his router not
> even using IPSEC passthrough which has always worked before. A direct
> dialup without NAT works find with a transport mode connection.
Should you want to try NAT-T after all, then perhaps you could try your
luck with a more recent kernel and/or Openswan.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list