[Openswan Users] NAT-T and netfilter

Clive A Stubbings openswan at vjet.demon.co.uk
Tue Aug 17 00:59:47 CEST 2004


Thanks Herbert (and others)..

I pulled the 5 patch files from patch-o-matic and applied them. A couple
needed some minor tweaks, but looks like its working! Certainly the
tunnel came up and pings and other data went through it.

For anyone else, the patches I applied are from patch-o-matic-ng-20040621

	nf_reset
	ipsec-01-output-hooks
	ipsec-02-input-hooks
	ipsec-03-policy-lookup
	ipsec-04-policy-checks

And I applied against the FC2 2.6.5 kernel

Ethereal does now seem to see some 'extra' packets too, which look like
the unencrypted data, but they have a missing etherenet header (ie 14
bytes, mac-sa, mac-da and type) so ethereal fails to work out what they
are. I will report that to the patch owner ;-)



Cheers
Clive


> Clive A Stubbings <openswan at vjet.demon.co.uk> wrote:
> > 
> > In openswan on 2.6 kernel the local NAT operations don't seem to work. It
> > looks like the encapsulated data does not get stuffed back into the
> > stack in the right place - or the kernel thinks its already been through
> > the netfilter tables...
>
> Known problem.
>
> NAT + IPsec is currently broken in 2.6.  You choices are:
>
> 1) Test the NAT + IPsec patch available at www.netfilter.org.
> 2) Use KLIPS.
>
> Cheers,
> -- 
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
>


More information about the Users mailing list