[Openswan Users] NAT Problem
Tom Hughes
thh at cyberscience.com
Thu May 12 09:48:49 CEST 2005
In message <42830832.9090709 at dds.nl>
Jacco de Leeuw <jacco2 at dds.nl> wrote:
> Tom Hughes wrote:
>
>> After that nothing more happens - tcpdump shows the gateway sending
>> more IKE packets to him but we get no response. This has never been
>> a problem in the past - before the upgrade he was able to use tunnel
>> mode with the IPSEC passthrough in his router just fine so IKE traffic
>> normally gets through.
>
> NAT-T and IPsec passthrough are incompatible. If you prefer to use the
> router's IPsec passthrough, you will have to disable NAT-T.
I want to use NAT-T because tunnel mode connections from Windows
systems (required for IPsec passthrough) seem to be incompatible
with the Windows firewall.
Unfortunately on this particular system I can't get NAT-T to work
and IPsec passthrough also seems to have stopped working...
>> May 11 11:51:06 gate kernel: martian source yyy.yyy.yyy.yyy from 192.168.0.2, on dev eth0
>> May 11 11:51:06 gate kernel: ll header: 00:e0:29:52:b0:9b:00:01:96:a9:63:80:08:00
>> I have made sure rp_filter is turned off for all interfaces.
>
> I have not seen this error in Openswan because Openswan clear rp_filter
> automatically. So I don't know what is going on here.
Well I actually see any obvious link between those message and
rp_filter anyway, at least from a brief read of the kernel source
code. It was just that some messages I found on google mentioned
turning it off in relation to those messages.
>> So currently he can't get connected at all from behind his router not
>> even using IPSEC passthrough which has always worked before. A direct
>> dialup without NAT works find with a transport mode connection.
>
> Should you want to try NAT-T after all, then perhaps you could try your
> luck with a more recent kernel and/or Openswan.
Well the kernel is 2.6.11 already. I might have to try a more recent
build of openswan I guess. I'm using the Fedora Core 3 build at the
moment.
Tom
--
Tom Hughes (thh at cyberscience.com)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
More information about the Users
mailing list