>Von: owner-m...@openbsd.org [owner-m...@openbsd.org]" im Auftrag von >"Stuart Henderson >[s...@spacehopper.org] >Gesendet: Samstag, 7. September 2013 00:11 >An: misc@openbsd.org >Betreff: Re: ISAKMPD NAT/Traversal
>>On 2013-09-06, Christoph Leser <le...@sup-logistik.de> wrote: >> Hello, list, >> >> from a remark by Stuart Henderson on an older thread >> http://marc.info/?l=openbsd-misc&m=134849 788026722&w=2 back in September >> 2012,I understood that NAT-T support in openBSD was not complete at that >> time, >> especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 >> 'TRANSFORM'. Sometimes this gets set to a value incompatible with other >> equipment ( cisco ). >> >> Can someone please point me to where I can find more information on this >> matter. Has anything changed in openBSD with regard to this, will openBSD >> follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, >> it >> seems to be a standard proposal since 2005 ). >> >> Mit freundlichen Gr��en >> >> Christoph Leser >> >> S&P Computersysteme GmbH >> Zettachring 4 >> 70567 Stuttgart Fasanenhof >> >> EMail: le...@sup-logistik.de >> >You misunderstand. OpenBSD uses the proper assigned encapsulation mode >values from the newer internet-drafts and the published RFC: >http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1 >http://tools.ietf.org/html/rfc3947#section-5.1 >It is Cisco who use the old encapsulation mode values from the early >versions of the internet-draft (marked "XXX CHANGE" here): >http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1 thanks for the clarification. Does that mean that openBSD sends UDP-Encapsulated-Tunnel (=3) mode when it detects NAT? But the isakmpd.pcap still shows "attribute ENCAPSULATION_MODE = TUNNEL" in the TRANSFORM payload? I ask because I have problems with a SonicWall behind a Nat on the remote site, which claims that my openBSD "TUNNEL(=1) instead of Encapsulated Tunnel(=3).
