Re: protocol 50 unreachable

["John A. Sullivan III" <john.sullivan@nexusmgmt.com>]

On Wed, 2004-12-01 at 23:00, Helge Weissig wrote:
> On Wed, 1 Dec 2004 at 22:46 -0500, Jason Opperisano wrote:
> 
> JO> > no such luck :(. I should note that the VPN connections works fine when I 
> JO> > hook the client up directly to my DSL line. btw - it looks like your 
> JO> > script does not forward anything from one of my interfaces to the other.
> JO> 
> JO> yeah--precisely.  you seem obsessed with the desire to "port forward"
> JO> esp traffic to your VPN client, which is absolutely not necessary.
> JO> 
> JO> look into configuring NAT-T with your VPN client, sometimes called "UDP
> JO> Encapsulation" as your VPN server appears unwilling to accept esp
> JO> packets that have traversed an intermediate NAT device.
> 
> hmm... how does a packet know it needs to go from my external NIC to my 
> internal NIC if it comes through ESP? Maybe I am confused here... 
> 
> let's leave the VPN client/server out of the picture to simplify. If I 
> send an ESP packet from somewhere to my external IP address I get the 
> "protocol 50 unreachable" ICMP response. The underlying problem seems to 
> be the primary cause of my troubles, no?
> 
> h.
Yes, you should be able to get this to work as long as there is only one
station behind the NAT gateway using IPSec.  NAT traversal is a valid
way to go and the only way to go if you have more than one IPSec client
using the same public address.  I do assume that the NAT gateway is not
running IPSec.

To use NAT traversal, you would forward the appropriate UDP port
(typically 4500 or 500) rather than ip/50.

I do not know why your NAT gateway is refusing to pass the IPSec
packets.  That's why I suggest logging in my previous e-mail is
clarifying the DNAT interface does not work.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com