On 8/17/07, Michael Gale <[EMAIL PROTECTED]> wrote:
> Hey,
>
> Can you UDP encapsulate the IPSEC ESP packets ?
Yes, isakmpd do that automatically. ESP doesn't traverse NAT at all.
-martin
> I believe most IPSEC servers and clients can support this feature, which
> also helps when going through NAT gateways.
>
> http://www.faqs.org/rfcs/rfc3948.html
> http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzaja/rzajaudpencap.htm
>
> Michael
>
>
>
> Martin Hedenfalk wrote:
> > Hello misc,
> >
> > I'm having problems with two IPsec tunnels from two different peers
> > behind the same NAT, to the same responder. All hosts are running
> > OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just
> > fine, but when the other tries to establish a tunnel (with a different
> > tunneled network), the first SA is just deleted. The two peers are now
> > continuously "competing". I get a lot of INVALID_COOKIE messages from
> > isakmpd.
> >
> > It's the same problem as reported in this post:
> > http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html
> > However, the "Shared-SADB" parameter mentioned doesn't have any effect for
> > me.
> >
> > I've sort of tracked this down to a call to sa_delete() in
> > ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This
> > function calls sa_lookup_by_peer() which apparently matches both of my
> > SAs. I disabled the sa_delete() loop and now both of my SAs stay up
> > fine, but I'm not really sure what I've done.
> >
> > Does anyone (developer?) have any thoughts about this?
> >
> > TIA
> > /Martin
> >
>
>
> --
> Michael Gale
>
> Red Hat Certified Engineer
> Network Administrator
> Pason Systems Corp.
>
> "What we need are more people who specialize in the impossible." -
> Theodore Roethke
