[Openswan Users] NAT-T

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Fri Mar 24 15:57:28 CET 2006

Sorry, I'm still slightly confused by this.

Our VPN server is on our internal subnet, why would I not be able to see 
encrypted incoming packets after the SA has gone up coming into our 
subnet across the firewall?

Also I see this in /var/log/secure

ERROR: asynchronous network error report on eth0 (sport=500) for message 
to (client IP) port 4500, complainant (gateway): Connection refused 
[errno 111, origin ICMP type 3 code 3 (not authenticated)]



Paul Wouters wrote:
> On Fri, 24 Mar 2006, Oliver Tomkins wrote:
>> nat_traversal=yes, virtual_private line, rightsubnet=vhost:%no,%priv to the
>> ipsec.conf and opened port 4500 on the firewall.
>> The client machine appears to connect fine - the client can browse the network
>> etc,
>> However when I'm packet sniffing on the firewall I only see UDP traffic rather
>> the ESP traffic that I normally see with our non-nat clients?
>> Am I missing something obvious here?
> The only thing you are missing is that NETKEY and tcpdump don't work well
> together due to how NETKEY hooks into the kernel. The packets get encrypted
> *after* the point where tcpdump can read them. Verify this on the other end
> where if you run tcpdump you will see the encrypted packets coming in (and
> like through magic, ALSO see the decrypted packets coming in).
> Paul

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk

More information about the Users mailing list