[Openswan Users] Firewall rules for openswan behind NAT (fwd)
Neal Murphy
neal.p.murphy at alum.wpi.edu
Thu Nov 21 05:20:05 UTC 2013
On Wednesday, November 20, 2013 11:31:19 PM Paul Wouters wrote:
> On Wed, 20 Nov 2013, Neal Murphy wrote:
> > A neuron just painfully fired. I'll bet ICMP is *required* for NAT-T.
> > From
>
> Nope. NAT-T works on IKE port 500 and 4500. Both ends send a hash of
> what they think their IP address is, and the other end sees if it
> matches.
>
> The forceencaps=yes option fakes that hash to be false, so it always
> triggers as "the ip is different, you must be NATed".
Right. So fragmentation doesn't enter the picture (i.e., it doesn't affect
openswan, or openswan doesn't use path MTU discovery)?
Or is the F/W supposed to associate/relate the 'must fragment' ICMP message
with the conn that triggered it and forward it to where it belongs?
N
More information about the Users
mailing list