[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    Re: [Openswan Users] NAT Problem
From:       Tom Hughes <thh () cyberscience ! com>
Date:       2005-05-12 7:48:49
Message-ID: yek64xoriji.fsf () dellow ! uk ! cyberscience ! com
[Download RAW message or body]

In message <42830832.9090709@dds.nl>
        Jacco de Leeuw <jacco2@dds.nl> wrote:

> Tom Hughes wrote:
>
>> After that nothing more happens - tcpdump shows the gateway sending
>> more IKE packets to him but we get no response. This has never been
>> a problem in the past - before the upgrade he was able to use tunnel
>> mode with the IPSEC passthrough in his router just fine so IKE traffic
>> normally gets through.
>
> NAT-T and IPsec passthrough are incompatible. If you prefer to use the
> router's IPsec passthrough, you will have to disable NAT-T.

I want to use NAT-T because tunnel mode connections from Windows
systems (required for IPsec passthrough) seem to be incompatible
with the Windows firewall.

Unfortunately on this particular system I can't get NAT-T to work
and IPsec passthrough also seems to have stopped working...

>> May 11 11:51:06 gate kernel: martian source yyy.yyy.yyy.yyy from 192.168.0.2, on dev eth0
>> May 11 11:51:06 gate kernel: ll header: 00:e0:29:52:b0:9b:00:01:96:a9:63:80:08:00
>> I have made sure rp_filter is turned off for all interfaces.
>
> I have not seen this error in Openswan because Openswan clear rp_filter
> automatically. So I don't know what is going on here.

Well I actually see any obvious link between those message and
rp_filter anyway, at least from a brief read of the kernel source
code. It was just that some messages I found on google mentioned
turning it off in relation to those messages.

>> So currently he can't get connected at all from behind his router not
>> even using IPSEC passthrough which has always worked before. A direct
>> dialup without NAT works find with a transport mode connection.
>
> Should you want to try NAT-T after all, then perhaps you could try your
> luck with a more recent kernel and/or Openswan.

Well the kernel is 2.6.11 already. I might have to try a more recent
build of openswan I guess. I'm using the Fedora Core 3 build at the 
moment.

Tom

-- 
Tom Hughes (thh@cyberscience.com)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
_______________________________________________
Users mailing list
Users@openswan.org
http://lists.openswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic