Re: AW: [Users] NAT-ed RW problems

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Mon Nov 25 2002 - 02:24:44 CET

• Next message: swcims: "*****SPAM***** [Users] Help:Dynamic IP+NAT on FS"
• Previous message: Bjørn Rasmussen: "[Users] w2k/xp-ipsec (priv.ip)<->(priv.ip)router(dyn.ip)<-internet->(pub.ip)frees/wan-fw-router<->network(priv.ip)"
• In reply to: Patrick Berlinger: "AW: [Users] NAT-ed RW problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

Disable IPSec passthru support on the NAT box.

On Mon, 25 Nov 2002, Patrick Berlinger wrote:

>
> And how could i solv this problem?
>
> Mit freundlichen Grüßen,
> Patrick berlinger
>
> > Nov 22 13:13:25 vpntest pluto[3478]: packet from 80.133.230.55:500:
> > ignoring Vendor ID payload [SSH Communications Security IPSEC Express
> > version 4.1.0] Nov 22 13:13:25 vpntest pluto[3478]: packet from
> > 80.133.230.55:500: ignoring Vendor ID payload
> > [draft-stenberg-ipsec-nat-traversal-01]
> > Nov 22 13:13:25 vpntest pluto[3478]: packet from 80.133.230.55:500:
> > ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
> > Nov 22 13:13:25 vpntest pluto[3478]: packet from 80.133.230.55:500:
> > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> > Nov 22 13:13:25 vpntest pluto[3478]: "hintzm"[1] 80.133.230.55 #1:
> > NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: peer is
> > NATed
>
> The roadwarrior is NATed but the source port is still 500. This is often
> due to IPSec-Passtrough functionnality and the NAT device drops every
> packet it can't understand (especially ESPinUDP packet).
>
> Perhaps I should add a warning note when this is the case.
>
> --
> Mathieu Lafon - Arkoon Network Security
>

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"Anyone who considers arithmetical methods of producing
random digits is, of course, in a state of sin."
                    -- John Von Neumann, 1951

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPeF73liWUusaxGxpAQFqvQP/douvXqb1IMCPWwJCnGbQGSZl95p4MCmi
L0H+jsho00yW7tRfZkGO4hVOPIVP9RkiKtS4JgvFN0y1OV75TJirzx7F/JipXUc7
FLpGA5F4akR9gGDKIbAnpDAsevLrsFSVIG0Duf4XMz8VCzP8qTuAEgoOMh1ZI3yq
tAtyARz1ki0=
=Uysa
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: swcims: "*****SPAM***** [Users] Help:Dynamic IP+NAT on FS"
• Previous message: Bjørn Rasmussen: "[Users] w2k/xp-ipsec (priv.ip)<->(priv.ip)router(dyn.ip)<-internet->(pub.ip)frees/wan-fw-router<->network(priv.ip)"
• In reply to: Patrick Berlinger: "AW: [Users] NAT-ed RW problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Mon Nov 25 2002 - 05:20:55 CET