Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Yes i know, but i need to check whether the established tunnel will still be up when the NAT server randomly changes the port !!. But in my case NAT server is not changing the source port (i mean not exactly changing but the source port should not be visible to destination server after NAT'ing ).
but it won't change the port. It uses 500. port 500 is used for basic un-natted IPSEC, if IKE detects a NAT in place, then the exchange will more to port 4500. SO doing any NAT will mean that the key exchange doesn't use that port for any significant role other than knowing to not use it. What you're askign for doesn't happen, it's really non-issue.
ohh cool !! Thanks for the info So, you mean to say if IKE detects a NAT it will use 4500 by default instead of 500 and there is no other means to change that to some <xxxx> port using anything right ?
Looking around, I can't find much talk about it, but IKE over UDP 500 works at an intrinsically different way to a standard UDP / TCP application. Basically NAT matters. So with the standard 500 interchange a hash of the IP and port on each peer is compared to the actual IP details on the conenction and if they differ then NAT has been performed and so it then uses a different process where NAT is tolerated on 4500, given that both devices are able to handle the more advanced processes that requires.
IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
AH associations for the same IP addresses it runs over. The IP
addresses and ports in the outer header are, however, not themselves
cryptographically protected, and IKE is designed to work even through
Network Address Translation (NAT) boxes. An implementation MUST
accept incoming requests even if the source port is not 500 or 4500,
and MUST respond to the address and port from which the request was
received. It MUST specify the address and port at which the request
was received as the source address and port in the response. IKE
functions identically over IPv4 or IPv6.