-
Notifications
You must be signed in to change notification settings - Fork 214
Openswan hacks and other interop tweaks
Listed here are hacks and tweaks that are not part of the regular operation of Openswan. This could be because it is not compliant or violates the various RFC standards, or because the solution is so hacked up it should not be in the regular openswan distribution.
{{toc}}
Openswan uses SArefs to work with overlapping IP issues – that is multiple tunnels that have the same internal IP range.
Juniper (and perhaps other vendors) uses a different approach. They “assign” from their own pool one or more static IP
addresses from the RFC1918 address space, and then NAT the incoming IPsec packets so they can distinguish different customers on their identical IP’s.
Unfortunately, their implementation is non-RFC compliant, and requires some severe hacking.
Juniper NAT-IPsec hack workaround
Hacking TTL’s to have the server end send NAT-T keepalives, without bothering the battery powered client