On Fri, 4 Mar 2016, Fabian van der Werf wrote:
I am testing vpn connection from a windows client behind a NAT to a publicly
accessible server running libreswan 3.16.
When the initiator request reaches libreswan the source address is not 500
because of the NAT. But even so, libreswan
still responds to port 500. This is of course dropped by the NAT since it
doesn't have a clue how to forward this.
Check this tcpdump
16:05:17.182210 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa
ikev2_init[I]
16:05:17.183377 IP libreswanIP.500 > natIP.500: isakmp: parent_sa ikev2_init[R]
16:05:19.182310 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa
ikev2_init[I]
16:05:19.183145 IP libreswanIP.500 > natIP.500: isakmp: parent_sa ikev2_init[R]
I would expect libreswan to respond to port 12286 instead of 500.
So would I :)
Is this a bug in libreswan? Or am I missing something? A configuration option?
Looks like it. Can you run with a full plutodebug=all and pastebin or
mail me (offlist) with the logs?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
