[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Fri Mar 24 16:26:05 CET 2006

On Fri, 24 Mar 2006, Oliver Tomkins wrote:

> nat_traversal=yes, virtual_private line, rightsubnet=vhost:%no,%priv to the
> ipsec.conf and opened port 4500 on the firewall.
> The client machine appears to connect fine - the client can browse the network
> etc,
> However when I'm packet sniffing on the firewall I only see UDP traffic rather
> the ESP traffic that I normally see with our non-nat clients?
> Am I missing something obvious here?

The only thing you are missing is that NETKEY and tcpdump don't work well
together due to how NETKEY hooks into the kernel. The packets get encrypted
*after* the point where tcpdump can read them. Verify this on the other end
where if you run tcpdump you will see the encrypted packets coming in (and
like through magic, ALSO see the decrypted packets coming in).

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list