Hey everyone.<div>I'm trying to set up openswan on ubuntu 9.10 and can't get UDP encapsulation to work.</div><div>I found this in my logs:</div><div>"Apr 11 23:36:19 mufasa ipsec_setup: Stopping Openswan IPsec...</div>
<div>Apr 11 23:36:20 mufasa ipsec_setup: ...Openswan IPsec stopped</div><div>Apr 11 23:36:20 mufasa ipsec_setup: Starting Openswan IPsec U2.6.22/K2.6.31-20-generic-pae...</div><div>Apr 11 23:36:20 mufasa ipsec_setup: Using NETKEY(XFRM) stack</div>
<div>Apr 11 23:36:20 mufasa ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d</div><div>Apr 11 23:36:20 mufasa ipsec_setup: ...Openswan IPsec started</div><div>Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description "rw-win"</div>
<div>Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description "rw-mac"</div><div>Apr 11 23:36:20 mufasa ipsec__plutorun: 002 added connection description "roadwarrior"</div><div>Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T</div>
<div>Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)</div><div>Apr 11 23:36:20 mufasa ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T"</div>
<div><br></div><div>Here's my ipsec.conf:</div><div><div># /etc/ipsec.conf - Openswan IPsec configuration file</div><div># RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v 1.16 2005/07/26 12:29:45 ken Exp $</div>
<div><br></div><div># This file: /usr/share/doc/openswan/ipsec.conf-sample</div><div>#</div><div># Manual: ipsec.conf.5</div><div><br></div><div><br></div><div>version<span class="Apple-tab-span" style="white-space:pre"> </span>2.0<span class="Apple-tab-span" style="white-space:pre"> </span># conforms to second version of ipsec.conf specification</div>
<div><br></div><div># basic configuration</div><div>config setup</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Do not set debug options to debug configuration issues!</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># plutodebug / klipsdebug = "all", "none" or a combation from below:</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span># "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># eg:</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span># plutodebug="control parsing"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># enable to get logs per-peer</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span># plutoopts="--perpeerlog"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># Again: only enable plutodebug or klipsdebug when asked by a developer</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>interfaces="ipsec0=eth0"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># NAT-TRAVERSAL support, see README.NAT-Traversal</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>nat_traversal=yes</div><div><span class="Apple-tab-span" style="white-space:pre"> </span># exclude networks used on server side by adding %v4:!a.b.c.0/24</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.33.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.33.0/24</a></div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span># OE is now off by default. Uncomment and change to on, to enable.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>oe=off</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span># which IPsec stack to use. netkey,klips,mast,auto or none</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>protostack=netkey</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div>
<div>#include /etc/ipsec.d/l2tp-psk.conf</div><div># Add connections here</div><div><br></div><div># sample VPN connection</div><div># for more examples, see /etc/ipsec.d/examples/</div><div>#conn sample</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span># Left security gateway, subnet behind it, nexthop toward right.</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>left=10.0.0.1</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a></div><div>
#<span class="Apple-tab-span" style="white-space:pre"> </span>leftnexthop=10.22.33.44</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span># Right security gateway, subnet behind it, nexthop toward left.</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>right=10.12.12.1</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>rightnexthop=10.101.102.103</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span># To authorize this connection, but not actually start it, </div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span># at startup, uncomment this.</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>#auto=start</div><div><br></div><div>conn %default</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>keyingtries=3</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>compress=yes</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>disablearrivalcheck=no</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>keyexchange=ike</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>ikelifetime=240m</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>keylife=60m</div>
<div><br></div><div>conn rw-win</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftprotoport=17/1701</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightprotoport=17/1701</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>also=roadwarrior</div><div><br></div><div>conn rw-mac</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftprotoport=17/1701</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>rightprotoport=17/%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>also=roadwarrior</div><div><br></div><div>conn roadwarrior</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>auto=add</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>authby=secret</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>pfs=no</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>type=transport</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rekey=no</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>keyingtries=3</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>left=%defaultrote</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>leftnexthop=72.231.160.1</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>leftprotoport=17/1701</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>leftsubnet=<a href="http://10.0.33.0/24">10.0.33.0/24</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rightnexthop=%defaultroute</div>
<div>#<span class="Apple-tab-span" style="white-space:pre"> </span>rightsubnet=vhost:%no,%priv</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>rightprotoport=17/%any</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>forceencaps=yes</div>
</div><div><br></div><div>Does anyone know how to get UDP encapsulation to work?</div>