[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T
Peter Van der Beken
peterv at propagandism.org
Tue Sep 27 16:28:45 CEST 2005
I used PSK, I was hoping to use certificates at some point in the future
but I don't have time to look into that right now.
Paul Wouters wrote:
> On Mon, 26 Sep 2005, Michael Richardson wrote:
>> No, that's not the case at all.
>> That's what vendor IDs are for --- to work around bugs in your old code.
Which is why I chose to only accept those values for that specific
vendor ID. AFAIK it isn't used by anyone else.
> Peter's patch was backported to v2_4_X and I managed to successfully setup
> an L2TP connection on MacOSX Tiger from behind NAT.
Cool, so I wasn't halucinating ;-).
> The strange thing is the line that says:
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
> First, we are not really using RFC 3947 but the "apple bug" version
> of it.
That's odd, I think I saw "using draft-ietf-ipsec-nat-t-ike (OS X)". Can
you verify that it's not just the strings that are inverted by
connecting with a RFC 3947 compliant client?
> And second, both ends are not NAT'ed, only my MacOSX was
> NAT'ed. aivd.xelerance.com, the other end, is on public IP. Is this the
> expected behaviour from the patch? After all, it does work. But I find
> the messages a bit confusing.
I noticed the same thing. When I tried to connect locally with no NAT in
between, it also claimed to detect two NATs. The connection works, but I
wonder why it thinks there's two NATs when there isn't any.
I'm a newbie wrt IPSEC and I need to get back to my real job, so I'm not
going to be able to take this a lot further.
More information about the Dev