On 8/17/07, Michael Gale <[EMAIL PROTECTED]> wrote: > Hey, > > Can you UDP encapsulate the IPSEC ESP packets ?
Yes, isakmpd do that automatically. ESP doesn't traverse NAT at all. -martin > I believe most IPSEC servers and clients can support this feature, which > also helps when going through NAT gateways. > > http://www.faqs.org/rfcs/rfc3948.html > http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm > > Michael > > > > Martin Hedenfalk wrote: > > Hello misc, > > > > I'm having problems with two IPsec tunnels from two different peers > > behind the same NAT, to the same responder. All hosts are running > > OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just > > fine, but when the other tries to establish a tunnel (with a different > > tunneled network), the first SA is just deleted. The two peers are now > > continuously "competing". I get a lot of INVALID_COOKIE messages from > > isakmpd. > > > > It's the same problem as reported in this post: > > http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html > > However, the "Shared-SADB" parameter mentioned doesn't have any effect for > > me. > > > > I've sort of tracked this down to a call to sa_delete() in > > ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This > > function calls sa_lookup_by_peer() which apparently matches both of my > > SAs. I disabled the sa_delete() loop and now both of my SAs stay up > > fine, but I'm not really sure what I've done. > > > > Does anyone (developer?) have any thoughts about this? > > > > TIA > > /Martin > > > > > -- > Michael Gale > > Red Hat Certified Engineer > Network Administrator > Pason Systems Corp. > > "What we need are more people who specialize in the impossible." - > Theodore Roethke