[Openswan Users] openswan + l2tpd + iptables problem
mechanix at debian.org
mechanix at debian.org
Wed Oct 18 15:35:08 EDT 2006
On Wed, Oct 18, 2006 at 07:48:30PM +0200, Paul Wouters wrote:
> On Wed, 18 Oct 2006, Brett Curtis wrote:
>
> > I am wondering if someone could explain why the mark of port 4500 is now needed?
>
> A change in how nat-t with netkey works?
>
> > Before x_tables was introduced in the kernel marking proto 50 worked
> > for both NAT and non-NAT.
>
> Perhaps the decapsulation of udp 4500 packets into esp packets is now happening
> differently?
>
> > Was there a change in the way ESP match works?
>
> since nat-t with netkey broke on 2.6.17 and 2.6.18 and got fixed in 2.6.18.1,
> I'd say "probably".
I should note that I am using a (Debian) 2.6.16 kernel, not .17 or .18.
> > Are there risks in matching port 4500 and allowing in?
>
> No. It's all past the DH exchange, so any bogus packet will just get discarded
> without being read.
Regards,
Filip
--
http://www.evonet.be/~filipvr/
More information about the Users
mailing list