[Openswan Users] Aggressive mode, NAT-T, destination behind NAT
Paul Wouters
paul at xelerance.com
Wed Apr 12 17:54:24 CEST 2006
On Mon, 10 Apr 2006, Brian Candler wrote:
> 003 "office" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "office" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
So the cisco is broken. Is tere a firmware update?
You could try specifying rightprotoport=17/%any (or 17/0 if %any is not allowed
because you are initiating)
> @mygroup X.X.X.65 : PSK "..."
>
> This works using the Cisco client for Linux, and vpnc under FreeBSD, but not
> with Openswan 2.4.5.
>
> Openswan logs don't show any NAT-T decision-making, even though natt logging
> is on. I think it's simply not getting that far.
It does log it is using method 108 for nat-t. So that part seems to get
negotiated fine.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list