[Openswan Users] FC6 iptables problem

wangxx at jmu.edu wangxx at jmu.edu
Fri Mar 23 17:07:09 EDT 2007

You are right. The problem is not with NAT but something else.

It is _not_ the firewall either as the error remains even 
after I turned iptables off.

I dumped all the traffic on the server and noticed that the 
server does not send out a single packet after IPsec SA was 
reportedly established.



---- Original message ----
>Date: Fri, 23 Mar 2007 21:29:13 +0100 (CET)
>From: Paul Wouters <paul at xelerance.com>  
>Subject: RE: [Openswan Users] FC6 iptables problem  
>To: Xunhua Wang <wangxx at jmu.edu>
>Cc: users at openswan.org
>On Fri, 23 Mar 2007, Xunhua Wang wrote:
>> Ok. I may have found the reason but it is not clear where 
to fix it. My
>> Windows IPsec/L2TP client is behind a NAT (its IP address 
>> but the IPsec SA does _not_ report it (see below).
>It does:
>> Mar 23 15:38:32 Newton pluto[2816]: "roadwarrior"[5] #5:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-
02/03: peer is NATed
>> Mar 23 15:38:32 Newton pluto[2816]: | NAT-T: new mapping
>> #6: STATE_QUICK_R2: IPsec SA established 
>> <0xb9b65f0b xfrm=3DES_0-HMAC_MD5 NATD= 
>The UDP port 4500 of your ipsec client is natted to port 
1468 on the NAT
>router at
>> Mar 23 15:38:37 Newton pluto[2816]: ERROR: asynchronous 
network error report
>> on eth1 (sport=4500) for message to port 
1468, complainant
>> No route to host [errno 113, origin ICMP 
type 3 code 1 (not
>> authenticated)]
>However, it seems openswan is not able to send a packet from 
its IP on port
>4500 to port 1468. Either a firewall rule, or a 
broken NAT

More information about the Users mailing list