[Openswan Users] nat_traversal in manual keying ?
Francesco Peeters
Francesco at FamPeeters.com
Tue Feb 28 14:25:40 CET 2006
On Tue, February 28, 2006 14:05, Pjothi said:
> Dear all,
>
> I have a basic question.
>
> Can nat-traversal be forced in Manual keying.
>
> I just want to use setkey but want nat_traversal be forced or enabled in
> manual keying.
>
> No IKE needed, so I can't use Racoon. So just editing setkey.conf and
> setting SAD and SPD to kernel, can
> NAT-T be enabled and/or forced ?
>
> Can we use the following,
>
> nat_traversal force;
>
> Any help would be very helpful and many thanks,
>
> Pjothi
I am not an OpenSwan programmer (I *am* a programmer, but not on OpenSwan,
just to clear any misunderstandings before they occur <G>), but do know
something about IPsec and IKE.
NAT-T depends on encapsulating the IPsec traffic in UDP packets. Although
this could theoretically be done with manual keying, it is customarily
connected to the IKE negotiations, and usually uses the IKE port for
encapsulation. I am not sure whether that is a rule or just a bit of
logical reasoning (if IKE worked, you can be sure UDP500 is passable), and
I have also seen UDP Encaspsulation on other portnumbers.
This means that probability of this being able is against you. Of course
in the end only people involved in the OpenSwan project can confirm this,
but this bit of knowledge on the normal workings of IKE and NAT-T may be
helpful for now...
(If not, then excuse me for the pollution of your inbox! <G>)
--
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.
More information about the Users
mailing list