[Openswan Users] Help:how to do ESPinUDP?
swcims at 163.com
Tue Aug 17 21:11:52 CEST 2004
Sorry about my incorrectly using "urgent".
You know,super-fs 1.99.8 on my mips linux 2.4.17 works well.I have no time enough to use openswan-2 instead.So,I think the quick way is to use a good nat-t patch for super-fs.I ever heard that super-fs1.99.8 has nat-t inside.
I read draft-ietf-ipsec-udp-encaps-08.txt.It seems that every ipsec/esp packet should be "espinudp" encapsulation.But when I use "pluto --nat_traversal",I can't find this encapsulation in ISKAMP or ESP packet.Would openswan-2 make every ipsec traffic encapsulated?
Would you please provide some suggestion?Thank you very much!
======= 2004-08-17 17:51:32 wrote:=======
>On Tue, 17 Aug 2004, swcims wrote:
>> I am using super-fs 1.9.8 on linux 2.4.17 and it works well.Now I'd like it to support "draft-ietf-ipsec-udp-encaps-08.txt" and "draft-ietf.ipsec-nat-t-ike-08.txt",so I use "pluto --nat_traversal" command.Is this command enough for that requirement?
>> I think,according to draft-ietf-ipsec-udp-encaps-08,every ipsec packet should be "espinudp" encapsulation.But it seems to freeswan that it doesn't do this encapsulation when there is nat device between!Is it a problem?
>> Any suggestion is highly appreciated!
>You cc:ed me on this urgent message. I am providing user support on the
>mailinglists at no cost. This means you cannot ask "urgent" requests
>If you really need urgent assistance from Xelerance, we can talk about
>a support contract.
>There has been talk on the openswan-dev list about nat-t support in the
>kernel. In 2.6 this has been fixed. I am not entire sure about the state
>in 2.4, but 2.4.17 is surely too old.
>Apart from that, any superfreeswan kernel patch will have an too old,
>broken nat-t patch in it.
>I recommend switching from superfreeswan to openswan-2.
= = = = = = = = = = = = = = = = = = = =
swcims at 163.com
More information about the Users