[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Rolando Zappacosta zappacor at yahoo.com.ar
Wed Apr 8 15:43:12 EDT 2009


Thank you VERY MUCH!!!!!!!!!!!!!


--- On Wed, 4/8/09, Paul Wouters <paul at xelerance.com> wrote:

> From: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement
> To: "Rolando Zappacosta" <zappacor at yahoo.com.ar>
> Cc: users at openswan.org
> Date: Wednesday, April 8, 2009, 7:33 PM
> On Mon, 6 Apr 2009, Rolando Zappacosta wrote:
> 
> >>>   modprobe ip_queue
> >>>   UDP501encap &
> >>>   iptables -A OUTPUT -d <GW IP addrr> -j
> QUEUE
> >>>   iptables -A INPUT -s <GW IP addrr> -j
> QUEUE
> >>> before launching OSW as usual.
> >>
> >> Is that IP the local IP or the remote IP?
> > The remote one, we encapsulate on Tx to the far end
> and we decapsulate on Rx from the far end.
> >
> 
> >> Is this a portforward from 501 to 500? If so, why
> does it
> >> need to go through userland?
> > No. Lucent's way to work around NATing is to
> change this:
> >   | IP | whatever L4 proto | Payload |
> >   where IP has the (IP source; IP dest) within it
> > into this:
> >   | IP | UDP:XXX | IP | whatever L4 proto | Payload |
> >   where IP have the same (IP source; IP dest) within
> them and XXX is the configurable UDP port (default=501)
> >
> > In a nutshell, they "tunnelize" all the
> traffic to/from the client and the gateway into a IP/UDP:XXX
> header
> 
> Ugh. Okay I see. I'll see how to properly integrate
> this using a config
> file option and the standard _updown script.
> 
> Paul


      


More information about the Users mailing list