[Openswan Users] About openswan nat detection

Zhiping Liu flyingzpl at gmail.com
Sat Jan 9 10:03:10 EST 2010

Thanks Paul.

Firewall in front of linux box HAVE ipsec ablitity,but not enabled,i'm sure
about that.

you saied "Your firewall is doing ipsec",but firewall can not recive a
package that is actually for other machine,right?

You metioned udp port 4500,i don't see any packages coming from 4500 on both
linux boxes.500 and 4500 all forward using DNAT.


ping from boxA to boxB,tcpdump on firewallA shows an error of "protcol 50
unreachable",i don't know what's this mean,i think firewall don't kave to
check ESP packages...

i still think about the command output of "NAT-Traversal: Only 0 NAT-D -
Aborting NAT-Traversal negotiation.". does it mean the linux box will not
use nat-traversal to send package, and that may the course of protocol 50
unreachable on firewallA?

2010/1/8 Paul Wouters <paul at xelerance.com>

> On Fri, 8 Jan 2010, Zhiping Liu wrote:
>  Hi list...
>> I have two linux box(openswan 2.6.23,kernel,both behind
>> firewall(this might be a problem?),i used these two to
>> build  a network-to-network connection.
>> it seems that the ipsec tuunel is up,route is set.but if i ping from one
>> box to another,no icmp result !
>> I set nat_traversal=yes in /etc/ipsec.conf,when i start up a connection
>> use command:
>> ipsec auto --up CONNECTION
>> it says:
>> NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation.
>> But the two linux box is really behind a firewall,i don't know why
>> openswan say "Only 0 NAT-D",anyone knows what
>> mechanism is used to detect if ourself is nated or not?
> Your firewall is doing ipsec or you are not forwarding all the right ports,
> and perhaps
> forgot port udp 4500?
> Paul

from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100109/7f1d067f/attachment.html 

More information about the Users mailing list