[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Fri Mar 24 17:18:43 CET 2006

On Fri, 24 Mar 2006, Oliver Tomkins wrote:

> Sorry, I'm still slightly confused by this.
> Our VPN server is on our internal subnet, why would I not be able to see
> encrypted incoming packets after the SA has gone up coming into our subnet
> across the firewall?

I assumed you were talking about running tcpdump on your vpn server, not on
your router.

> Also I see this in /var/log/secure
> ERROR: asynchronous network error report on eth0 (sport=500) for message to
> (client IP) port 4500, complainant (gateway): Connection refused [errno 111,
> origin ICMP type 3 code 3 (not authenticated)]

Seems there is some confusion about ports. Are you forwarding both port 500 and
4500? Does the IPsec SA Estbalished message show a NATD= entry with a port?


More information about the Users mailing list