[Openswan Users] Openswan + NAT-T + Checkpoint NGX

Paul Wouters paul at xelerance.com
Mon Feb 22 14:01:23 EST 2010

On Mon, 22 Feb 2010, Dmitriy Samovskiy wrote:

> We are running into an issue getting Openswan 2.4.12 (straight from

upgrade to 2.4.15 at least....

> Ubuntu Jaunty, Linux kernel behind NAT to establish a tunnel
> with Checkpoint NGX using NAT-T.
> Openswan is behind NAT. "nat_traversal=yes" is under "config setup".
> "forceencaps=yes" is under "conn foo". Checkpoint is not behind NAT.

You should not need forceencaps if you are NAT'ed already.

> The problem is that the tunnel gets established but it ends up using
> regular ESP (proto 50):
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}

Did the vendorids now show that NAT-T was negotiated?

> (note "NATD=none" instead of expected "NATD=XX.XX.XX.XX:4500")
> Identical setup works correctly using NAT-T with a bunch of different
> IPsec endpoints (other openswans, cisco, etc), so far only checkpoint
> is causing this problem.
> Has anybody seen anything like this? Any thoughts what it might be? Is
> there a way to force openswan to do NAT-T or refuse to establish a
> tunnel otherwise?

Does the checkpoint allow NAT-T for other clients? Or from other locations?


More information about the Users mailing list