[Openswan Users] Firewall rules for openswan behind NAT (fwd)
Paul Wouters
paul at nohats.ca
Thu Nov 21 04:31:19 UTC 2013
On Wed, 20 Nov 2013, Neal Murphy wrote:
> A neuron just painfully fired. I'll bet ICMP is *required* for NAT-T. From
Nope. NAT-T works on IKE port 500 and 4500. Both ends send a hash of
what they think their IP address is, and the other end sees if it
matches.
The forceencaps=yes option fakes that hash to be false, so it always
triggers as "the ip is different, you must be NATed".
Paul
--
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/
More information about the Users
mailing list