[Openswan Users] NAT-T
Paul Wouters
paul at xelerance.com
Fri Mar 24 17:18:43 CET 2006
On Fri, 24 Mar 2006, Oliver Tomkins wrote:
> Sorry, I'm still slightly confused by this.
>
> Our VPN server is on our internal subnet, why would I not be able to see
> encrypted incoming packets after the SA has gone up coming into our subnet
> across the firewall?
I assumed you were talking about running tcpdump on your vpn server, not on
your router.
> Also I see this in /var/log/secure
>
> ERROR: asynchronous network error report on eth0 (sport=500) for message to
> (client IP) port 4500, complainant (gateway): Connection refused [errno 111,
> origin ICMP type 3 code 3 (not authenticated)]
Seems there is some confusion about ports. Are you forwarding both port 500 and
4500? Does the IPsec SA Estbalished message show a NATD= entry with a port?
Paul
More information about the Users
mailing list