From 435480cb5a28ee44cfdb8485449608b6edcb61cd Mon Sep 17 00:00:00 2001
From: Sheng Yang <sheng.yang@citrix.com>
Date: Mon, 6 Aug 2012 16:53:55 -0700
Subject: [PATCH] S2S VPN: CS-15641: Enable UDP port 4500 for NAT-T

---
 patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
index b0414b93aad..196221295dc 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -67,6 +67,7 @@ check_and_enable_iptables() {
   if [ $? -ne 0 ]
   then
       sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
       # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
       sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
   fi
@@ -90,6 +91,7 @@ check_and_disable_iptables() {
   then
     #Nobody else use s2s vpn now, so delete the iptables rules
     sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
     sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
   fi
   return 0