[Openswan Users] Antwort: Re: Openswan + NAT-T + Checkpoint NGX
Frank Mayer
frank.mayer at knapp.com
Tue Mar 2 09:36:53 EST 2010
Hi,
I habe experienced similar behaviour, depending on the device that does
the NAT:
E.g. many home-routers do have a setting called "SPI forwarding" or some
such.
SPI in this case stands for "Security Parameter Index", not to confuse
with with SPI = "Stateful Packet Inspection", as some manufacturers call
their firewalling.
AFAIK, SPI forwarding enables NATing of a single IPSec connection, when
one of the peers does not support NAT-T.
If yout NAT device is configured for SPI forwarding, try deactivating
that.
Best Regards,
Frank
users-bounces at openswan.org schrieb am 22.02.2010 20:41:34:
> Dmitriy Samovskiy <dmitriy04111 at gmail.com>
> Gesendet von: users-bounces at openswan.org
>
> 22.02.2010 20:41
>
> Bitte antworten an
> dmitriy at somic.org
>
> An
>
> Paul Wouters <paul at xelerance.com>, users at openswan.org
>
> Kopie
>
> Thema
>
> Re: [Openswan Users] Openswan + NAT-T + Checkpoint NGX
>
> Thanks for your quick reply, Paul.
>
> >> The problem is that the tunnel gets established but it ends up using
> >> regular ESP (proto 50):
> >>
> >> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
> >> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
> >
> > Did the vendorids now show that NAT-T was negotiated?
>
> This may sound like a stupid question but how can I find it out?
>
> With tunnels to Cisco, I sometimes see in logs "ignoring Vendor ID
> payload" lines but I don't have them with Checkpoint, even with
> plutodebug="all".
>
> > Does the checkpoint allow NAT-T for other clients? Or from other
locations?
>
> Checkpoint GUI has NAT-T checkbox checked, that's all I know. I doubt
> they have other NAT-T tunnels but getting this fact doouble checked
> now.
>
> Thanks,
> Dmitriy
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100302/b1041480/attachment.html
More information about the Users
mailing list