[Openswan Users] IPSec nat-t behavior

Pjothi pjothi at gmail.com
Sat Feb 18 10:02:56 CET 2006


Hello all,

I have been setting up IPSec nat-t in tunnel mode in a LAN test
environment using Suse Linux 10 which uses openswan.

A ------------- B ------------------- C

B and C belong to same subnet.

I would like to establish IPSec between A and C which belong to
different subnets. So I use iptables SNAT in between which basically
NATs address A to address B. nat-t works fine but also exhibits
strange behavior.

1. Sometimes there is normal behaviour (mostly the first time) that A
realizes its behind a NAT and establishes SA with C, using udp
encpasulation.

2. The second time I bootstrap IPSec,  A responds, both are NATed.
Even if I disable NAT in between still I get the same response that
both are NATed. Sometimes it doesnt recognize the NAT at all.

I believe the reason is that some session establishment is cached and
complete NAT-D (nat-discovery) is not happening everytime. Should I be
clearing any cache before I restart IPSec so that the complete NAT-D
is done everytime or what could be the reasons for this abnormal
behaviour.

Any inputs well be useful and greatly appreciated.

many thanks,
Pj


More information about the Users mailing list