[Openswan Users] Asynchronous network error w/ Android 2.3 and NAT on both sides

Corrado Primier ilbardo at gmail.com
Tue Feb 21 18:38:46 EST 2012


Sorry, I just noticed I moved this in private with Paul (damn gmail!).
I sort-of figured out the problem with him, even though it's not
totally ok.

2012/2/22 Willie Gillespie <wgillespie+openswan at es2eng.com>:
> IPsec is connecting properly.  Perhaps the problem is that you have your
> xl2tpd with a local ip of 192.168.42.3, where the IPsec connection is only
> 192.168.4.2 (UDP port 1701).

It seems not. Actually it looks like a buggy router on the client
side. This is what I wrote to Paul in my last e-mail:

------
I did a more thorough tcpdump session, and noticed that it's a
client-side router problem: the client sends the IKE request, the
router replies and then nothing more comes back. I tried setting up
the client router so that it forcefully forwards port 500 to the
Android device and, lo and behold, everything works fine.

Now my thought is: is this right? Since both the source and
destination ports are the same, if the packets are correctly seen as
related by the router they should be forwarded to the client
automatically, shouldn't they? That's what I suppose anyway, since
every other connection works bi-directionally, but maybe the router
doesn't get this because we're using UDP here.
Since this happened to me on a few NATted connections I wonder if
there's a way to move the IKE handshake to TCP, and if this idea makes
sense anyway...
------

Now, about this last idea of mine... this obviously means that the
Android device should try the connection on the ISAKMP TCP port, and I
don't think it is able to. Is it a lost cause?


Corrado


More information about the Users mailing list