[Openswan Users] Firewall rules for openswan behind NAT (fwd)

Paul Wouters paul at nohats.ca
Thu Nov 21 04:31:19 UTC 2013

On Wed, 20 Nov 2013, Neal Murphy wrote:

> A neuron just painfully fired. I'll bet ICMP is *required* for NAT-T. From

Nope. NAT-T works on IKE port 500 and 4500. Both ends send a hash of
what they think their IP address is, and the other end sees if it

The forceencaps=yes option fakes that hash to be false, so it always
triggers as "the ip is different, you must be NATed".

Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list