[Openswan dev] openswan 2.1.0rc1 rpms

Michael Richardson mcr at sandelman.ottawa.on.ca
Tue Mar 9 19:10:59 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Axel" == Axel Thimm <Axel.Thimm at ATrpms.net> writes:
    >> Fedora Core 1 does not natively provide the UDP encapsulation
    >> needed for NAT Traversal. I think Paul was referring to the
    >> upcoming FC2, which will have a 2.6 kernel.

    Axel> So NAT-T will work only with 2.6 (and 2.4 with backported 2.6
    Axel> ipsec code like RHEL)? Is there no ESPINUDP patch for 2.4?

  No, that's correct.
  NAT-T will work with any kernel that has been patched.

  That would include:
       1) all 2.6 kernels.		(maybe not 2.6.0?)
       2) 2.4 with back-ported 26sec
       3) any kernel source tree that has had:

       ( cd openswan-X.Y.Z && make nattpatch ) | (cd /usr/src/linux &&
patch -p1) 
       done to it prior to a *complete* build.

  A *MODULE* build of *KLIPS* won't get you NAT-T, since you have to
rebuild all of IPv4. There is no way to patch it into a distro kernel
after the fact. At one point, we discussed doing an iptables based NAT-T
module, which would be loadable. 

  {If there is *significant* interest in doing this let me know}

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQE5dEYqHRg3pndX9AQEhVwP/bF9O8Q3AyRcwRLSjNQBHSenqEYdPMRre
y+aXlg4g1gAxMGDHMw2MzUJScgeAbnUvzJk8T4TcwTtoOFwxyus18t2rHBxCwqg4
vKSwpfcsH8/1rYsBeGTdTVzA0mcRG7ChxxMmJhgq665NymPexnIwCp2KsZ13bhll
/ghJW9ktZdU=
=XbWW
-----END PGP SIGNATURE-----


More information about the Dev mailing list