[Openswan Users] Openswan + NAT-T + Checkpoint NGX

Dmitriy Samovskiy dmitriy04111 at gmail.com
Mon Feb 22 12:06:54 EST 2010


We are running into an issue getting Openswan 2.4.12 (straight from
Ubuntu Jaunty, Linux kernel behind NAT to establish a tunnel
with Checkpoint NGX using NAT-T.

Openswan is behind NAT. "nat_traversal=yes" is under "config setup".
"forceencaps=yes" is under "conn foo". Checkpoint is not behind NAT.

The problem is that the tunnel gets established but it ends up using
regular ESP (proto 50):

STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
<0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}

(note "NATD=none" instead of expected "NATD=XX.XX.XX.XX:4500")

Identical setup works correctly using NAT-T with a bunch of different
IPsec endpoints (other openswans, cisco, etc), so far only checkpoint
is causing this problem.

Has anybody seen anything like this? Any thoughts what it might be? Is
there a way to force openswan to do NAT-T or refuse to establish a
tunnel otherwise?

Thanks in advance,

Dmitriy Samovskiy

More information about the Users mailing list