[Openswan Users] About openswan nat detection

[Zhiping Liu]

Thanks Paul.

Firewall in front of linux box HAVE ipsec ablitity,but not enabled,i'm sure
about that.

you saied "Your firewall is doing ipsec",but firewall can not recive a
package that is actually for other machine,right?

You metioned udp port 4500,i don't see any packages coming from 4500 on both
linux boxes.500 and 4500 all forward using DNAT.

boxA--->firewallA------------firewallB<----boxB

ping from boxA to boxB,tcpdump on firewallA shows an error of "protcol 50
unreachable",i don't know what's this mean,i think firewall don't kave to
check ESP packages...

i still think about the command output of "NAT-Traversal: Only 0 NAT-D -
Aborting NAT-Traversal negotiation.". does it mean the linux box will not
use nat-traversal to send package, and that may the course of protocol 50
unreachable on firewallA?

2010/1/8 Paul Wouters <paul at xelerance.com>

> On Fri, 8 Jan 2010, Zhiping Liu wrote:
>
>  Hi list...
>> I have two linux box(openswan 2.6.23,kernel 2.6.28.9),both behind
>> firewall(this might be a problem?),i used these two to
>> build  a network-to-network connection.
>> it seems that the ipsec tuunel is up,route is set.but if i ping from one
>> box to another,no icmp result !
>>
>> I set nat_traversal=yes in /etc/ipsec.conf,when i start up a connection
>> use command:
>>
>> ipsec auto --up CONNECTION
>>
>> it says:
>>
>> NAT-Traversal: Only 0 NAT-D - Aborting NAT-Traversal negotiation.
>>
>> But the two linux box is really behind a firewall,i don't know why
>> openswan say "Only 0 NAT-D",anyone knows what
>> mechanism is used to detect if ourself is nated or not?
>>
>
> Your firewall is doing ipsec or you are not forwarding all the right ports,
> and perhaps
> forgot port udp 4500?
>
> Paul
>



-- 
from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100109/7f1d067f/attachment.html