Tuomo Soini wrote:> I have just spent two days testing IPSEC NAT-Traversal with shorewall
> and super-freeswan freeswan.ca.
>
> Extra over normal ipsec is that udp port 500 needs to be open from any
> source port and udp port 4500 (ESPinUDP) needs to be open from any
> source port.
>
> For normal ipsec traffic IKE used udp source port 500 and destination
> 500 but Ipsec NAT-T needs any source port open (first try to connect)
> and after NAT is detected, ESP communication happens with port 4500/udp.
>
> And other note: don''t activate dropunclean - it happily drops
every
> ESPinUDP packet as bad packet.
>
Probably because of checksum errors -- that''s fixed in a very recent
patch
to NetFilter.
In the current CVS version (Development), there is a tunnel type
"ipsecnat" that doesn''t require that the source port be 500
for ISAKMP.
Another Shorewall user ran into that recently.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ shorewall.net
ICQ: #60745924 \ teastep@shorewall.net