[Swan] disable nat-t

Paul Wouters paul at nohats.ca
Mon Sep 24 15:06:00 UTC 2018


On Mon, 24 Sep 2018, Frank Liu wrote:

> My side runs libreswan and remote side runs some version of Checkpoint. The tunnel comes up but sometimes goes down and can't be
> re-established. When this happens, tcpdump shows libreswan tries to phase 1 fine on port 500, but then switch to use port 4500
> (probably due to the Vendor ID from remote), but remote doesn't respond on 4500 anymore.
> 
> With latest libreswan, I can set  nat-ikev1-method=none so my side doesn't send anything to their 4500. Everything works. Since I
> have to use Centos7 which comes with older libreswan 3.23. Is there anything I can do to disable nat-t in older versions?

I don't think so.

RHEL-7.6 (and thus centos7) will have 3.25-2, so you should
be good soon. Alternatively, we run our own rhel 6/7 repos on
download.libreswan.org that currently has 3.26

You can install this repository by installing:
https://download.libreswan.org/binaries/rhel/7/libreswan-release-7-1.noarch.rpm

and then 'yum install libreswan'

Paul


More information about the Swan mailing list