[Openswan Users] ike and netfilter timeout
msmith at cbnco.com
Wed Jan 16 07:58:40 EST 2008
On Tue, 15 Jan 2008, Marco Berizzi wrote:
> > What I ended up doing is NATting only TCP, UDP and ICMP, instead of all
> > IP, and forcing the port range above used ports:
> I also need snat udp500 for vpn clients like cisco/
> checkpoint and other ipsec based.
That's fine, I do the same; what I'm suggesting is that rather than using
the default SNAT, you SNAT them to a different port range.
By default Linux will change the packets as little as possible - if a
client behind NAT asks for port 500, and nobody is using it, it'll get it.
With the rules I suggested it'll be forced to ports 10000 and higher,
saving port 500 for the gateway.
More information about the Users