From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: Fri Nov 15 2002 - 12:38:50 CET
We have had great success using the Arkoon NAT-T patch
(open-source.arkoon.net). We did have to change our firewall settings
from allowing 500/udp for source and destination to 500/udp destination.
However, I'm not sure how one would initiate a connection to a NAT-T
device. Unless the device being NAT'd has initiated the packet flow,
how will the NATting firewall know to which port to map the inbound
traffic? - John
Tarun Bajaj wrote:
> Hello All,
> I am trying to establish an ESP tunnel and one of the
> IPSec gateway is behind NAT. If the NAT rule is BASIC i.e. no port
> translation, the ESP tunnel gets established but if I try with NAT rule
> as NAPT i.e. port translation, I got following error message in my
> /var/log/secure file -
>
> "packet from 10.0.20.17:50000 : initial Main Mode message received on
> 172.30.33.133:500 but no connection has been authorized."
>
> My set up is as following -
>
> | 172.47.1.10 | -------| 172.47.1.1 (NAT) 10.0.20.17 |-----| 10.0.20.200
> / 172.30.2.122 |-----| 172.30.33.133 |
>
> 172.47.1.10 and 172.30.33.133 are the linux box running Freeswan.
>
> Could there be something wrong with the ipchains rule at 172.30.33.133.
>
> I have following rules at 172.30.33.133 -
>
> -i INPUT -s 10.0.20.0/24 -d 172.30.0.0/16 -p all -j ACCEPT
> -i INPUT -s 172.30.0.0/16 -d 10.0.20.0/24 -p all -j ACCEPT
>
>
> Thanks & Regards -
> Tarun Bajaj
-- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Nov 16 2002 - 05:20:41 CET