[Openswan Users] Forcing udp-encaps when not on a NAT'd
connection?
Ken Bantoft
ken at xelerance.com
Fri Jun 11 04:39:19 CEST 2004
On Thu, 10 Jun 2004, Nate Carlson wrote:
> On Thu, 10 Jun 2004, Mathieu Lafon wrote:
> > Yes, you need to enable it on at least one gateway and they will both
> > think that there is NAT between them and enable ESPinUDP.
>
> Very cool! I'll have to give that a shot.
>
> > Doing it on a per-connection basis is not very difficult.
>
> I took a look at the code, and it's certainly beyond my skills to add it
> for per-connection (I never claim to be a C programmer).. it looks like it
> certainly wouldn't be too difficult to enable as a global at least (maybe
> add a nat_traversal=force option that enables FORCE_NAT_TRAVERSAL).
> Per-connection would be the ideal, of course.
Yes, you did it globally. Ugh.
> I did decide to see if I could hack it up to work globally
> (nat_traversal=force option), and came up with the attached patch - note
> that I am not a C programmer, so this could very well break things. It
> seems to work for me; if I set it to force, however, I can't connect to
> one of my VPN hosts for some reason - the rest work fine.
Perhaps it can't deal with forced NAT-T? This should be per conn. Check
out how DPD is dealt with in the auto/_confread/_readconf and whack to
turn this into a per-conn option. It would definately get accepted into
mainline code.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list