[Openswan dev] openswan 2.1.0rc1 rpms
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Mar 9 19:10:59 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Axel" == Axel Thimm <Axel.Thimm at ATrpms.net> writes:
>> Fedora Core 1 does not natively provide the UDP encapsulation
>> needed for NAT Traversal. I think Paul was referring to the
>> upcoming FC2, which will have a 2.6 kernel.
Axel> So NAT-T will work only with 2.6 (and 2.4 with backported 2.6
Axel> ipsec code like RHEL)? Is there no ESPINUDP patch for 2.4?
No, that's correct.
NAT-T will work with any kernel that has been patched.
That would include:
1) all 2.6 kernels. (maybe not 2.6.0?)
2) 2.4 with back-ported 26sec
3) any kernel source tree that has had:
( cd openswan-X.Y.Z && make nattpatch ) | (cd /usr/src/linux &&
patch -p1)
done to it prior to a *complete* build.
A *MODULE* build of *KLIPS* won't get you NAT-T, since you have to
rebuild all of IPv4. There is no way to patch it into a distro kernel
after the fact. At one point, we discussed doing an iptables based NAT-T
module, which would be loadable.
{If there is *significant* interest in doing this let me know}
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQE5dEYqHRg3pndX9AQEhVwP/bF9O8Q3AyRcwRLSjNQBHSenqEYdPMRre
y+aXlg4g1gAxMGDHMw2MzUJScgeAbnUvzJk8T4TcwTtoOFwxyus18t2rHBxCwqg4
vKSwpfcsH8/1rYsBeGTdTVzA0mcRG7ChxxMmJhgq665NymPexnIwCp2KsZ13bhll
/ghJW9ktZdU=
=XbWW
-----END PGP SIGNATURE-----
More information about the Dev
mailing list