[Openswan Users] FC6 iptables problem

Paul Wouters paul at xelerance.com
Fri Mar 23 16:29:13 EDT 2007

On Fri, 23 Mar 2007, Xunhua Wang wrote:

> Ok. I may have found the reason but it is not clear where to fix it. My
> Windows IPsec/L2TP client is behind a NAT (its IP address is
> but the IPsec SA does _not_ report it (see below).

It does:

> Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] #5:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

> Mar 23 15:38:32 Newton pluto[2816]: | NAT-T: new mapping

> #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x61a49581
> <0xb9b65f0b xfrm=3DES_0-HMAC_MD5 NATD= DPD=none}

The UDP port 4500 of your ipsec client is natted to port 1468 on the NAT
router at

> Mar 23 15:38:37 Newton pluto[2816]: ERROR: asynchronous network error report
> on eth1 (sport=4500) for message to port 1468, complainant
> No route to host [errno 113, origin ICMP type 3 code 1 (not
> authenticated)]

However, it seems openswan is not able to send a packet from its IP on port
4500 to port 1468. Either a firewall rule, or a broken NAT


More information about the Users mailing list