[Openswan Users] Asynchronous network error w/ Android 2.3 and NAT on both sides

Corrado Primier ilbardo at gmail.com
Wed Feb 22 04:48:50 EST 2012


2012/2/22 Paul Wouters <paul at nohats.ca>:
>> I tried setting up
>> the client router so that it forcefully forwards port 500 to the
>> Android device and, lo and behold, everything works fine.
>
> It's called "IPsec passthrough". Those devices should be thrown out.

I suspected it. The problem is sometimes it cannot be avoided. For
example this specific router is also my DSL modem, and my ISP keeps
some settings secret, so I can't just throw it away for a better one.
Same goes for other ISPs, I had mixed results with the same 3g
provider, only in different cities, so my VPN access is not reliable
at all. Welcome to Italy -.-

> There is no ISAKMP TCP port. Cisco tunnels over tcp port 10000 but
> that's not an IETF standard.

I suspected this one too, but I found 500/tcp in /etc/services in all
the distros I use, so I thought I'd ask.

> It's an arms race. If people block port 500/4500 because they don't
> want vpn, and tcp 10000 works, then if too many do that they will
> block that port. Then we have to move again, until we have turned
> into skype.

So basically I am (we are) screwed :) I'll have a fun time trying to
explain this to the client. Thanks for all your help.

Corrado


More information about the Users mailing list