[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement
Paul Wouters
paul at xelerance.com
Wed Apr 8 13:33:25 EDT 2009
On Mon, 6 Apr 2009, Rolando Zappacosta wrote:
>>> modprobe ip_queue
>>> UDP501encap &
>>> iptables -A OUTPUT -d <GW IP addrr> -j QUEUE
>>> iptables -A INPUT -s <GW IP addrr> -j QUEUE
>>> before launching OSW as usual.
>>
>> Is that IP the local IP or the remote IP?
> The remote one, we encapsulate on Tx to the far end and we decapsulate on Rx from the far end.
>
>> Is this a portforward from 501 to 500? If so, why does it
>> need to go through userland?
> No. Lucent's way to work around NATing is to change this:
> | IP | whatever L4 proto | Payload |
> where IP has the (IP source; IP dest) within it
> into this:
> | IP | UDP:XXX | IP | whatever L4 proto | Payload |
> where IP have the same (IP source; IP dest) within them and XXX is the configurable UDP port (default=501)
>
> In a nutshell, they "tunnelize" all the traffic to/from the client and the gateway into a IP/UDP:XXX header
Ugh. Okay I see. I'll see how to properly integrate this using a config
file option and the standard _updown script.
Paul
More information about the Users
mailing list