[Openswan Users] Openswan + NAT-T + Checkpoint NGX
Dmitriy Samovskiy
dmitriy04111 at gmail.com
Mon Feb 22 14:41:34 EST 2010
Thanks for your quick reply, Paul.
>> The problem is that the tunnel gets established but it ends up using
>> regular ESP (proto 50):
>>
>> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
>> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
>
> Did the vendorids now show that NAT-T was negotiated?
This may sound like a stupid question but how can I find it out?
With tunnels to Cisco, I sometimes see in logs "ignoring Vendor ID
payload" lines but I don't have them with Checkpoint, even with
plutodebug="all".
> Does the checkpoint allow NAT-T for other clients? Or from other locations?
Checkpoint GUI has NAT-T checkbox checked, that's all I know. I doubt
they have other NAT-T tunnels but getting this fact doouble checked
now.
Thanks,
Dmitriy
More information about the Users
mailing list