[Openswan Users] Problem with forceencaps
steve.morard at epfl.ch
steve.morard at epfl.ch
Tue May 1 04:04:44 EDT 2007
In fact, I'm wondering if the UDP encapsulation is negotiated with IKE. In this
case, it could be that the remote gateway to which I want to connect doesn't
support UDP encapsulation.
Here is my ipsec.conf:
version 2.0
config setup
nat_traversal=yes
plutodebug=all
plutostderrlog=/etc/ipsec.err
conn toFT
type=tunnel
forceencaps=yes
# Left security gateway, subnet behind it, next hop toward right.
left=172.18.112.7
leftsubnet=172.25.8.8/29
leftsourceip=172.25.8.8
leftnexthop=%defaultroute
# Right security gateway, subnet behind it, next hop toward left.
right=x.x.x.x
rightsubnet=172.20.210.48/29
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
aggrmode=no
pfs=yes
authby=secret
keyexchange=ike
ikelifetime=1d
keylife=1h
#esp=aes128-md5,aes128-sha1
ike=aes128-sha1,aes128-md5
esp=aes128-md5,aes128-sha1
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
This configuration (without forceencaps=yes) allows me to negotiate the SAs and
I'm able to use the IPSec tunnel to send packets. The problem is that the
firewall blocks the replies from the remote gateway. This is why I would like
to use UDP encapsulation.
Thank you
More information about the Users
mailing list