[Openswan Users] Aggressive mode, NAT-T, destination behind NAT

Brian Candler B.Candler at pobox.com
Wed Apr 12 17:06:16 CEST 2006

On Wed, Apr 12, 2006 at 04:54:24PM +0200, Paul Wouters wrote:
> On Mon, 10 Apr 2006, Brian Candler wrote:
> > 003 "office" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > 003 "office" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> So the cisco is broken. Is tere a firmware update?

That part is OK - in Openswan 2.4.5 that message is just a warning. Also, it
works fine when I'm using Openswan 2.4.5 to Cisco IOS with main mode. I get
the same warning and it proceeds.

But in this scenario, to the office PIX, I have to use aggressive mode to
get my PSK group identifier across.

> > @mygroup X.X.X.65 : PSK "..."
> >
> > This works using the Cisco client for Linux, and vpnc under FreeBSD, but not
> > with Openswan 2.4.5.
> >
> > Openswan logs don't show any NAT-T decision-making, even though natt logging
> > is on. I think it's simply not getting that far.
> It does log it is using method 108 for nat-t. So that part seems to get
> negotiated fine.

What I mean is, it doesn't show the part where it evaluates the hashes to
decide whether the local IP/port is behind NAT, and/or the remote IP/port is
behind NAT. It doesn't seem to get this far, because it decides there is no
connection matching the remote identity.

I can try replicating this in an openswan-to-openswan setup if you have an
interest (that is, I've read on this list that aggressive mode is not well
supported in openswan, so it depends whether you want to work on this or



More information about the Users mailing list