[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Paul Wouters paul at xelerance.com
Fri Sep 26 15:20:00 EDT 2008

On Fri, 26 Sep 2008, Rolando Zappacosta wrote:

>  - prepare the packet to be sent as per plain, normal, standard ISAKMP or IKE (no NAT-T, no nothing) including up to its IP header. They then:
>  - encapulate this resulting IP-UDP/500 packet on IP/UDP with identical IP addresses and UDP.src port but changing the UDP.dst port from 500 to 501 (of course, the server changes the UDP.src instead accordingly).

that might be an older NAT-T draft? Or something proprietary

>   In order to experiment it, I'll try now to find a way to do it as couldn't find one on OSW itself. If it's possible please drop me a line as having an option to do so would be great and would let OSW as a client to be completelly Lucent compatible.

It is the kernel code (either the XFRM codewith nnetkey or the nat-t patch with klips)
that unwraps this packet and re-injects it into the kernel after decapsulation. I
don't think either implementation supports this on ports other then 4500 (assuming the
format is even the same).


More information about the Users mailing list