[Openswan Users] IPSec nat-t behavior
Pjothi
pjothi at gmail.com
Sat Feb 18 10:02:56 CET 2006
Hello all,
I have been setting up IPSec nat-t in tunnel mode in a LAN test
environment using Suse Linux 10 which uses openswan.
A ------------- B ------------------- C
B and C belong to same subnet.
I would like to establish IPSec between A and C which belong to
different subnets. So I use iptables SNAT in between which basically
NATs address A to address B. nat-t works fine but also exhibits
strange behavior.
1. Sometimes there is normal behaviour (mostly the first time) that A
realizes its behind a NAT and establishes SA with C, using udp
encpasulation.
2. The second time I bootstrap IPSec, A responds, both are NATed.
Even if I disable NAT in between still I get the same response that
both are NATed. Sometimes it doesnt recognize the NAT at all.
I believe the reason is that some session establishment is cached and
complete NAT-D (nat-discovery) is not happening everytime. Should I be
clearing any cache before I restart IPSec so that the complete NAT-D
is done everytime or what could be the reasons for this abnormal
behaviour.
Any inputs well be useful and greatly appreciated.
many thanks,
Pj
More information about the Users
mailing list