[Openswan Users] Re: NAT-T on debian

Rene Mayrhofer rene.mayrhofer at gibraltar.at
Fri Apr 23 11:38:49 CEST 2004

Lewis wrote:
> I've been attempting  without success (like a few other list users)
> to get a working ipsec with NAT-T support.  I was under the
> impression that NAT-T was supported in the Debian >= 2.6.4 kernels
> via the native ipsec stack; no patch need be applied it?
Yes, this is true.

> The directions for the openswan-2.1.2rc3  install, suggest install
> right over the top for 2.6 kernels.   My experience has indicated
> that for Debian systems it is a little more complex.  The default
> install to /usr/local/... leaves the old version in place at /usr/lib
> which still runs.   I have been told there are some development
> issues with pluto currently in openswan, where pluto immediately
> segmentation faults on start, for which I have not been able to
> negotiate a solution for. I've noted that patching the 2.4.26
> debianised kernel with the openswan generated NAT-T patch fails 1 of
> 3 hunks.
openswan hit Debian unstable today (it took a while to get through), so
compiling it yourself should not longer be necessary. Just install the
binary package.

> The big Question... Are there currently any known NAT-T functional
> ..swan versions running on debian unstable?  I'm willing to put the
> hard yards in (again), happy to use 2.4  kernels...just keep hitting
> dead ends... Rene, I read in the dev archives that something might be
> around the corner for an openswan deb package?
There has been reported success with NAT-T with Debian kernels and a 
preliminary openswan package, but I have to admit that I haven't tried 
this myself (still using freeswan with hand-made kernels on my 
production firewalls). Please let me know if you run into problems.

best regards,

More information about the Users mailing list