[Ipsec-tools-users] Re: [Openswan Users] nat_traversal in manual
keying ?
VANHULLEBUS Yvan
vanhu at free.fr
Tue Feb 28 14:37:14 CET 2006
On Tue, Feb 28, 2006 at 02:25:40PM +0100, Francesco Peeters wrote:
> On Tue, February 28, 2006 14:05, Pjothi said:
[NAT-T encapsulation in manual keying]
> I am not an OpenSwan programmer (I *am* a programmer, but not on OpenSwan,
> just to clear any misunderstandings before they occur <G>), but do know
> something about IPsec and IKE.
I am not an OpenSwan developer/user, but I am an ipsec-tools (and also
a "non official" BSD IPSec stack) developer :-)
> NAT-T depends on encapsulating the IPsec traffic in UDP packets. Although
> this could theoretically be done with manual keying, it is customarily
> connected to the IKE negotiations,
Yep.
> and usually uses the IKE port for
> encapsulation.
No. Using UDP port 500 was only done for first draft versions, latest
versions and RFCs use a "port floating" to UDP 4500.
But it still needs NAT-T keepalives (done by racoon, I don't know if
this is done in kernel stack or userland for *Swan), and NAT-T has
really be done for IKE negociations, not static keying.
Yvan.
More information about the Users
mailing list