On Mon, 24 Sep 2018, Frank Liu wrote:
My side runs libreswan and remote side runs some version of Checkpoint. The
tunnel comes up but sometimes goes down and can't be
re-established. When this happens, tcpdump shows libreswan tries to phase 1
fine on port 500, but then switch to use port 4500
(probably due to the Vendor ID from remote), but remote doesn't respond on 4500
anymore.
With latest libreswan, I can set nat-ikev1-method=none so my side doesn't send
anything to their 4500. Everything works. Since I
have to use Centos7 which comes with older libreswan 3.23. Is there anything I
can do to disable nat-t in older versions?
I don't think so.
RHEL-7.6 (and thus centos7) will have 3.25-2, so you should
be good soon. Alternatively, we run our own rhel 6/7 repos on
download.libreswan.org that currently has 3.26
You can install this repository by installing:
https://download.libreswan.org/binaries/rhel/7/libreswan-release-7-1.noarch.rpm
and then 'yum install libreswan'
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
