<br><br><div class="gmail_quote">On Tue, Feb 17, 2009 at 5:30 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Tue, 17 Feb 2009, Shasi Thati wrote:</div></blockquote><div>Thanks for your response, </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<font color="#993399"><br></font><font color="#993399">
</font><font color="#993399"><br></font></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font color="#993399">
</font><font color="#3333ff">>Can you tell us more about this? Does it accelerate via OCF? Other means?<br>
>And for KLIPS or NETKEY?</font></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am using the NETKEY interface and the Linux IPSec stack (Linux Crypto API, not the OCF) </blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> provides me the necessary offload.</blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<font color="#6600cc">
</font><font color="#3333ff">>The responder side also needs a virtual_private= line</font></blockquote><div> </div><div>I have added the following virtual_private line to the below setup.</div><div># /etc/ipsec.conf - FreeS/WAN IPsec configuration file<br>
<br>version 2.0<br>#config setup<br> config setup</div><div><br> interfaces=%defaultroute<br> protostack=netkey<br> klipsdebug=none<br> plutodebug=all<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font color="#6600cc"> </font><font color="#000000">virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16" target="_blank">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</a></font></blockquote>
<div><font color="#000000"> </font></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font color="#000000">#Simple Host to Host Connection</font><font color="#000000"><br>
</font><font color="#000000">conn tunnel-to-tunnel</font><font color="#000000"><br></font><font color="#000000"> type=tunnel</font><font color="#000000"><br></font><font color="#000000"> forceencaps=yes</font><font color="#000000"><br>
</font><font color="#000000"> left=192.168.1.100 </font><font color="#000000"><br></font><font color="#000000"> leftsubnet=<a href="http://10.66.21.0/24" target="_blank">10.66.21.0/24</a></font><font color="#000000"><br>
</font><font color="#000000"> leftrsasigkey=<right key></font><font color="#000000"><br>
</font><font color="#000000"> right=192.168.2.100 </font><font color="#000000"><br></font><font color="#000000"> rightsubnet=<a href="http://10.66.12.0/24" target="_blank">10.66.12.0/24</a></font><font color="#000000"><br>
</font><font color="#000000"> rightrsasigkey=<left key></font><font color="#000000"><br>
</font><font color="#000000"> keyingtries=1 </font><font color="#000000"><br></font><font color="#000000"> auto=add</font><div><br>
But inspite of that I still see the Setting NAT-Traversal <font color="#cc0000">port-4500 floating to off.</font><font color="#000000"> I am not sue what is wrong, is my virtual_private entry or anything else wrong in the config file. I am starting to think if Nat traversal in enabled in the first place (although I have set nat_traversal=yes in the config file). How do I make sure of that? When we compile Openswan do we separately need to configure nat_traversal or is it not required?</font></div>
</blockquote><div></div><div>pluto[2253]: Starting Pluto (Openswan Version 2.5.17; Vendor ID OEztC{yJaHh[) pid:2253<br>
pluto[2253]: Setting NAT-Traversal port-4500 floating to off<br>pluto[2253]: port floating activation criteria nat_t=0/port_float=1<br>pluto[2253]:<font color="#990000"> </font><font color="#000000">including NAT-Traversal patch (Version 0.6c)</font><font color="#ff0000"> [disabled]</font></div>
<div><font color="#ff0000"></font></div><div> Also I am using the same config file on both sides, is that okay? </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
Thanks in advance,<br>
-Shasi<br></div><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>