[Openswan Users] Shouldn't this be NATed?

James Nelson james.nelson.ii at gmail.com
Fri Sep 23 13:37:31 EDT 2011


To add upon the previous quandary, correct me if I'm wrong.  After the SA
tunnel is established, shouldn't traffic I send via a browser on a server be
seen through port 500 or 4500?  As of right now, all traffic is still
heading through 80, at least when I run the following commands:

tcpdump -i eth0 -n -p port 80
tcpdump -i eth0 -n -p udp port 500 or udp port 4500

Which makes me think of two things:
1) How do I actually force traffic to go through those ports (as I then have
been testing wrong all this time)
2) What's wrong with my Openswan connection that's causing traffic not to go
through?

-James

On Fri, Sep 23, 2011 at 11:27 AM, James Nelson <james.nelson.ii at gmail.com>wrote:

> I promise, once this gets up, there will be celebrations with rainbows and
> puppies and kittens and cocktails.  Okay, so it'll probably be just
> cocktails.
>
> Same setup as my previous posts, with an Amazon EC2 to Client connection.
>  When I establish the conn, here is my response:
>
> 104 "ec2check" #6: STATE_MAIN_I1: initiate
> 106 "ec2check" #6: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "ec2check" #6: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "ec2check" #6: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> 117 "ec2check" #7: STATE_QUICK_I1: initiate
> 003 "ec2check" #7: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid=a4bbfe57
> 004 "ec2check" #7: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP/NAT=>0xbcd53ec2 <0x6981795a xfrm=3DES_0-HMAC_MD5 NATOA=none
> NATD=none DPD=none}
>
> In the .conf, nat_traversal=yes & forceencaps=yes.  Using Amazon with
> Openswan, shouldn't I be expecting NATD to say something other than none?
>  Don't my packets need to be NATed when using an Elastic IP with EC2?  I
> believe that the client firewall is expecting NATed traffic to hit their
> firewall, which might be why nothing is getting through.  Or if this is
> correct, what should I be expecting?
>
> -- James
>
> PS Is there a donation page somewhere?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110923/f2655012/attachment.html 


More information about the Users mailing list