[Openswan Users] [Possible Spam] Re: followup
Brian Candler
B.Candler at pobox.com
Fri Apr 21 17:39:31 CEST 2006
On Fri, Apr 21, 2006 at 04:34:54PM +0200, Geert Janssens wrote:
> I still wonder though if our initial setup (both ipsec peers behind a natting
> firewall) could have worked, if the proper forwardings were possible on the
> hardware firewall. We didn't have the time or resources to fully investigate
> this.
If using NAT-T, then ESP is encapsulated in UDP port 4500, rather than IP
protocol 50. So it would probably have worked.
This encapsulation is selected automatically, if the two sides support
NAT-T, and detect that the IKE exchange on UDP port 500 has gone through
NAT.
HTH,
Brian.
More information about the Users
mailing list