[Openswan Users] Antwort: Re: Openswan + NAT-T + Checkpoint NGX

Frank Mayer frank.mayer at knapp.com
Tue Mar 2 09:36:53 EST 2010


I habe experienced similar behaviour, depending on the device that does 
the NAT:
E.g. many home-routers do have a setting called "SPI forwarding" or some 
SPI in this case stands for "Security Parameter Index", not to confuse 
with with SPI = "Stateful Packet Inspection", as some manufacturers call 
their firewalling.
AFAIK, SPI forwarding enables NATing of a single IPSec connection, when 
one of the peers does not support NAT-T.

If yout NAT device is configured for SPI forwarding, try deactivating 

Best Regards,

users-bounces at openswan.org schrieb am 22.02.2010 20:41:34:

> Dmitriy Samovskiy <dmitriy04111 at gmail.com> 
> Gesendet von: users-bounces at openswan.org
> 22.02.2010 20:41
> Bitte antworten an
> dmitriy at somic.org
> An
> Paul Wouters <paul at xelerance.com>, users at openswan.org
> Kopie
> Thema
> Re: [Openswan Users] Openswan + NAT-T + Checkpoint NGX
> Thanks for your quick reply, Paul.
> >> The problem is that the tunnel gets established but it ends up using
> >> regular ESP (proto 50):
> >>
> >> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
> >> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
> >
> > Did the vendorids now show that NAT-T was negotiated?
> This may sound like a stupid question but how can I find it out?
> With tunnels to Cisco, I sometimes see in logs "ignoring Vendor ID
> payload" lines but I don't have them with Checkpoint, even with
> plutodebug="all".
> > Does the checkpoint allow NAT-T for other clients? Or from other 
> Checkpoint GUI has NAT-T checkbox checked, that's all I know. I doubt
> they have other NAT-T tunnels but getting this fact doouble checked
> now.
> Thanks,
> Dmitriy
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100302/b1041480/attachment.html 

More information about the Users mailing list