[Openswan Users] ike and netfilter timeout

Michael Smith msmith at cbnco.com
Wed Jan 16 07:58:40 EST 2008

On Tue, 15 Jan 2008, Marco Berizzi wrote:

> > What I ended up doing is NATting only TCP, UDP and ICMP, instead of all
> > IP, and forcing the port range above used ports:
> I also need snat udp500 for vpn clients like cisco/
> checkpoint and other ipsec based.

That's fine, I do the same; what I'm suggesting is that rather than using 
the default SNAT, you SNAT them to a different port range.

By default Linux will change the packets as little as possible - if a 
client behind NAT asks for port 500, and nobody is using it, it'll get it. 
With the rules I suggested it'll be forced to ports 10000 and higher, 
saving port 500 for the gateway.


More information about the Users mailing list