[Openswan Users] openswan + l2tpd + iptables problem
Paul Wouters
paul at xelerance.com
Wed Oct 18 13:48:30 EDT 2006
On Wed, 18 Oct 2006, Brett Curtis wrote:
> Guys I replied to this thread back when it was first posted.
>
> I am wondering if someone could explain why the mark of port 4500 is now needed?
A change in how nat-t with netkey works?
> Before x_tables was introduced in the kernel marking proto 50 worked
> for both NAT and non-NAT.
Perhaps the decapsulation of udp 4500 packets into esp packets is now happening
differently?
> Was there a change in the way ESP match works?
since nat-t with netkey broke on 2.6.17 and 2.6.18 and got fixed in 2.6.18.1,
I'd say "probably".
> Are there risks in matching port 4500 and allowing in?
No. It's all past the DH exchange, so any bogus packet will just get discarded
without being read.
Paul
More information about the Users
mailing list