[Shorewall-users] Technically: ipsec v ipsecnat ?

Tom Eastep teastep at shorewall.net
Wed Mar 10 15:18:50 PST 2004

On Friday 27 February 2004 08:56 am, Steven Palm wrote:
> First of all, Thanks Tom for your help in fixing the martian problem
> with Shorewall. I have one other question:
> I haven't found a detailed explanation of the differing behavior in
> Shorewall between an ipsec line and an ipsecnat line in the tunnels
> line.
> Are there cases where if you have it set to ipsecnat an regular ipsec
> connection (non-NAT) won't work?
> I presume there are cases where using ipsec won't work with a NAT'd
> connection.
> Does this correlate at all to having the NAT Traversal patch in the
> FreeS/WAN ipsec software (I don't, I can't find one for v2.05)??
> Thanks for helping to clear this up. For our current users the routers
> at their primary locations all seem to pass IPSec traffic so NAT
> doesn't get in the way. In testing in-house, however, I have a wireless
> access point without IPSec passthru and it isn't working with "ipsec"
> or "ipsecnat" in the tunnels file.
> Just curious what part Shorewall plays in all of this, I'm going to try
> to find an updated NAT Traversal patch for FreeS/WAN to fix things up.

Just stumbled onto this post and noticed that no one has responded to it. The 
difference between 'ipsec' and 'ipsecnat' is that 'ipsecnat' assumes nat 
traversal so only opens the UDP port 500 to/from the remote gateway whereas 
'ipsec' opens UDP 500 along with protocols 50 and 51.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list