[Openswan Users] ike and netfilter timeout
Michael Smith
msmith at cbnco.com
Wed Jan 16 07:58:40 EST 2008
On Tue, 15 Jan 2008, Marco Berizzi wrote:
> > What I ended up doing is NATting only TCP, UDP and ICMP, instead of all
> > IP, and forcing the port range above used ports:
>
> I also need snat udp500 for vpn clients like cisco/
> checkpoint and other ipsec based.
That's fine, I do the same; what I'm suggesting is that rather than using
the default SNAT, you SNAT them to a different port range.
By default Linux will change the packets as little as possible - if a
client behind NAT asks for port 500, and nobody is using it, it'll get it.
With the rules I suggested it'll be forced to ports 10000 and higher,
saving port 500 for the gateway.
Mike
More information about the Users
mailing list