[Openswan Users] NAT-T and netfilter
Clive A Stubbings
openswan at vjet.demon.co.uk
Tue Aug 17 00:59:47 CEST 2004
Thanks Herbert (and others)..
I pulled the 5 patch files from patch-o-matic and applied them. A couple
needed some minor tweaks, but looks like its working! Certainly the
tunnel came up and pings and other data went through it.
For anyone else, the patches I applied are from patch-o-matic-ng-20040621
nf_reset
ipsec-01-output-hooks
ipsec-02-input-hooks
ipsec-03-policy-lookup
ipsec-04-policy-checks
And I applied against the FC2 2.6.5 kernel
Ethereal does now seem to see some 'extra' packets too, which look like
the unencrypted data, but they have a missing etherenet header (ie 14
bytes, mac-sa, mac-da and type) so ethereal fails to work out what they
are. I will report that to the patch owner ;-)
Cheers
Clive
> Clive A Stubbings <openswan at vjet.demon.co.uk> wrote:
> >
> > In openswan on 2.6 kernel the local NAT operations don't seem to work. It
> > looks like the encapsulated data does not get stuffed back into the
> > stack in the right place - or the kernel thinks its already been through
> > the netfilter tables...
>
> Known problem.
>
> NAT + IPsec is currently broken in 2.6. You choices are:
>
> 1) Test the NAT + IPsec patch available at www.netfilter.org.
> 2) Use KLIPS.
>
> Cheers,
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
>
More information about the Users
mailing list