[Openswan Users] Openswan + NAT-T + Checkpoint NGX
Paul Wouters
paul at xelerance.com
Mon Feb 22 14:01:23 EST 2010
On Mon, 22 Feb 2010, Dmitriy Samovskiy wrote:
> We are running into an issue getting Openswan 2.4.12 (straight from
upgrade to 2.4.15 at least....
> Ubuntu Jaunty, Linux kernel 2.6.21.7) behind NAT to establish a tunnel
> with Checkpoint NGX using NAT-T.
>
> Openswan is behind NAT. "nat_traversal=yes" is under "config setup".
> "forceencaps=yes" is under "conn foo". Checkpoint is not behind NAT.
You should not need forceencaps if you are NAT'ed already.
> The problem is that the tunnel gets established but it ends up using
> regular ESP (proto 50):
>
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Did the vendorids now show that NAT-T was negotiated?
> (note "NATD=none" instead of expected "NATD=XX.XX.XX.XX:4500")
>
> Identical setup works correctly using NAT-T with a bunch of different
> IPsec endpoints (other openswans, cisco, etc), so far only checkpoint
> is causing this problem.
>
> Has anybody seen anything like this? Any thoughts what it might be? Is
> there a way to force openswan to do NAT-T or refuse to establish a
> tunnel otherwise?
Does the checkpoint allow NAT-T for other clients? Or from other locations?
Paul
More information about the Users
mailing list