[Openswan Users] [Possible Spam] Re: followup

Brian Candler B.Candler at pobox.com
Fri Apr 21 17:39:31 CEST 2006

On Fri, Apr 21, 2006 at 04:34:54PM +0200, Geert Janssens wrote:
> I still wonder though if our initial setup (both ipsec peers behind a natting 
> firewall) could have worked, if the proper forwardings were possible on the 
> hardware firewall. We didn't have the time or resources to fully investigate 
> this.

If using NAT-T, then ESP is encapsulated in UDP port 4500, rather than IP
protocol 50. So it would probably have worked.

This encapsulation is selected automatically, if the two sides support
NAT-T, and detect that the IKE exchange on UDP port 500 has gone through



More information about the Users mailing list