[Openswan Users] NAT & noNAT

[Pete Ashdown]

On 09/21/2011 11:56 AM, Paul Wouters wrote:
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R1 to
>> state STATE_MAIN_R2
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R2: sent MR2, expecting MI3
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: ignoring informational payload, type
>> IPSEC_INITIAL_CONTACT msgid=00000000
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: Main mode peer ID is ID_IPV4_ADDR:
>> '198.X.X.168'
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: transition from state STATE_MAIN_R2 to
>> state STATE_MAIN_R3
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: new NAT mapping for #9, was
>> 198.X.X.168:500, now 198.X.X.168:4500
>
> But here the port changes from 500 to 4500, suggesting NAT?
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: STATE_MAIN_R3: sent MR3, ISAKMP SA
>> established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>> group=modp1024}
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: the peer proposed: 74.X.X.1/32:17/1701
>> -> 198.X.X.168/32:17/0
>> "L2TP-PSK-NAT"[3] 198.X.X.168 #9: cannot respond to IPsec SA request
>> because no connection is known for
>> 74.X.X.1<74.X.X.1>[+S=C]:17/1701...198.X.X.168[+S=C]:17/57507
>
> Do you have rightprotoport=17/%any ?

I have what the example has:

# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
rightprotoport=17/0


> I'm a little confused why that works
>
> Is this a recent openswan?
2.6.35


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110921/3fb99944/attachment.bin