[Ipsec-tools-users] Re: [Openswan Users] nat_traversal in manual keying ?

VANHULLEBUS Yvan vanhu at free.fr
Tue Feb 28 14:37:14 CET 2006


On Tue, Feb 28, 2006 at 02:25:40PM +0100, Francesco Peeters wrote:
> On Tue, February 28, 2006 14:05, Pjothi said:
[NAT-T encapsulation in manual keying]
> I am not an OpenSwan programmer (I *am* a programmer, but not on OpenSwan,
> just to clear any misunderstandings before they occur <G>), but do know
> something about IPsec and IKE.

I am not an OpenSwan developer/user, but I am an ipsec-tools (and also
a "non official" BSD IPSec stack) developer :-)


> NAT-T depends on encapsulating the IPsec traffic in UDP packets. Although
> this could theoretically be done with manual keying, it is customarily
> connected to the IKE negotiations,

Yep.

> and usually uses the IKE port for
> encapsulation.

No. Using UDP port 500 was only done for first draft versions, latest
versions and RFCs use a "port floating" to UDP 4500.


But it still needs NAT-T keepalives (done by racoon, I don't know if
this is done in kernel stack or userland for *Swan), and NAT-T has
really be done for IKE negociations, not static keying.



Yvan.


More information about the Users mailing list