[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement
Rolando Zappacosta
zappacor at yahoo.com.ar
Fri Sep 26 05:08:33 EDT 2008
Hi all,
I got a second PC in order to bring up the tunnel and sniff the traffic on different ones and could finally find the cause of OSW sometimes not connecting to a Lucent Brick.
What happens is everything works OK if directly connected to the Internet. But when NAT is in the middle, Lucent uses a user configurable solution of encapsulating ISAKMP and IKE on UDP/500 packets as you can see on the attached file.
So, in a nutshell, they:
- prepare the packet to be sent as per plain, normal, standard ISAKMP or IKE (no NAT-T, no nothing) including up to its IP header. They then:
- encapulate this resulting IP-UDP/500 packet on IP/UDP with identical IP addresses and UDP.src port but changing the UDP.dst port from 500 to 501 (of course, the server changes the UDP.src instead accordingly).
In order to experiment it, I'll try now to find a way to do it as couldn't find one on OSW itself. If it's possible please drop me a line as having an option to do so would be great and would let OSW as a client to be completelly Lucent compatible.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: LVC-UDPencapsulated_port501.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20080926/ea7dbbe9/attachment.txt
More information about the Users
mailing list