On 6/4/06, <b class="gmail_sendername">ted leslie</b> <<a href="mailto:tleslie@tcn.net">tleslie@tcn.net</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
3) i have a sucesful 2.4.5 openswan installed and a nat-t patched kernel and have it installed,<br> yet
on the "ipsec verify" i see no indication of nat_t ? and i have
nat_traversal=y<br> in my ipsec.conf, all restarted, but no mention in nat_t in the "ipsec verfiy",<br> i see some people claim there should be confirmation of nat-t in "ipsec verify"</blockquote>
<div><br>
Here's what I get -- it only mentions NAT. I am a version behind, but probably it looks similar:<br>
<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><span style="font-family: courier new,monospace;">Checking your system to see if IPsec got installed and started correctly:
</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Version check and
ipsec
on-path
[OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Linux Openswan U2.4.4/K2.6.9-1.11_FC2 (netkey)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking for IPsec
support in
kernel
[OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking for RSA
private key
(/etc/ipsec.secrets)
[FAILED]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">ipsec showhostkey: no default key in "/etc/ipsec.secrets"</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking that pluto
is
running
[OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Two or more interfaces found, checking IP forwarding [OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking NAT and MASQUERADEing</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking for 'ip'
command
[OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking for
'iptables'
command
[OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Checking for 'setkey' command for NETKEY IPsec stack support [OK]</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Opportunistic
Encryption
Support
[DISABLED]</span><br>
</blockquote>
<br>
BTW, the "multiple interfaces" check is a bit off. Yes, I have
two (and forwarding enabled), but one of them is just the cable to my
printer, and has nothing to do with IPSEC.<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">4) I have read that NAT-T and ipsec-pass-through are incompatiable. In fact some one has gone as
<br> far
as to say that if ipsec passthrough is enables on a router (i.e.
linksys), and you<br> use NAT-T, this will not work .. which i find odd, is this true?</blockquote><div><br>
I read here that passthrough in itself is utterly broken, and any rougter doing it should be thrown in the trash.<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">6) is there some way to use auth=secret and use roadwarrior without having all same password?
<br> Can't
leftid/rightid identify the connection , or if the subnet was
particular, isn't<br> that
enough to identify the conection, or does one have to use
x.509 certs for sure<br> with roadwarrior.</blockquote><div><br>
I'd go for x.509. It's easier to get working initially, AND it's safer.<br>
</div><br>
Just my 2 cents.<br>
/Christian<br></div>