[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Fri Mar 24 18:03:11 CET 2006

On Fri, 24 Mar 2006, Oliver Tomkins wrote:

> > Seems there is some confusion about ports. Are you forwarding both port 500
> > and
> > 4500? Does the IPsec SA Estbalished message show a NATD= entry with a port?
> I'm a little unsure of what you mean by forwarding both ports?

Since your VPN server is behind NAT, it needs to receive port 500 and port 4500
from your NAT router in front of it.

> NATD is as follows:
> pluto[2132]: "note"[1] XX.XXX.XXX.XX #6: STATE_QUICK_R2: IPsec SA established
> {ESP=>0x60b11015 <0xeb54ec4a xfrm= 3DES_0-HMAC_MD5 NATD=XX.XX.XX.XX:4500 DPD=none}

Okay. That looks good. So it should work, at least for a single l2tp client.


More information about the Users mailing list