[Openswan Users] Aggressive mode, NAT-T, destination behind NAT

Paul Wouters paul at xelerance.com
Wed Apr 12 17:54:24 CEST 2006

On Mon, 10 Apr 2006, Brian Candler wrote:

> 003 "office" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "office" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

So the cisco is broken. Is tere a firmware update?
You could try specifying rightprotoport=17/%any (or 17/0 if %any is not allowed
because you are initiating)

> @mygroup X.X.X.65 : PSK "..."
> This works using the Cisco client for Linux, and vpnc under FreeBSD, but not
> with Openswan 2.4.5.
> Openswan logs don't show any NAT-T decision-making, even though natt logging
> is on. I think it's simply not getting that far.

It does log it is using method 108 for nat-t. So that part seems to get
negotiated fine.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list