[Openswan Users] red hat enterprise and nat-traversal

Morgan Marodin mmarodin at develon.com
Mon Mar 29 13:44:39 CEST 2004


Hi!

Now disabling OE my red hat works!
With ipsec backport of the red hat kernel and also with the compiled module 
of openswan (but using this I have to add manually the route to the 
rightsubnet via dev ipsec0).

Ok. Now ... the next step: Nat-T.

I have configured my gw to work with this option + certs and at the other 
side a win client in the same way of an "old" my freeswan installation.
But ... it doesn't work.

----------------------------------------------------------------------------------------------------------------------------------------
[root at platoon etc]# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 111.111.111.35
000 interface eth0/eth0 111.111.111.35
000 interface eth1/eth1 192.168.100.1
000 interface eth1/eth1 192.168.100.1
000 %myid = (none)
000 debug none
000
000 "nattest": 192.168.100.0/24===111.111.111.35[C=IT, ST=Vxxx, O=Dxxx, 
CN=name]...%any[C=IT, ST=Vxxx, O=Dxxx, CN=Mario Rossi, 
E=mrossi at Dxxx.com]===192.168.2.0/24; unrouted; eroute owner: #0
000 "nattest":   CAs: 'C=IT, ST=Vxxx, L=Axxxxx, O=Dxxx, 
CN=ca.Dxxx.com'...'%any'
000 "nattest":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "nattest":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: 
eth0;
000 "nattest":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "nattest"[2]: 192.168.100.0/24===111.111.111.35[C=IT, ST=Vxxx, O=Dxxx, 
CN=name]...222.222.222.6:1[C=IT, ST=Vxxx, O=Dxxx, CN=Mario Rossi, 
E=mrossi at Dxxx.com]===192.168.2.0/24; unrouted; eroute owner: #0
000 "nattest"[2]:   CAs: 'C=IT, ST=Vxxx, L=Axxxxx, O=Dxxx, 
CN=ca.Dxxx.com'...'%any'
000 "nattest"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "nattest"[2]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; 
interface: eth0;
000 "nattest"[2]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "nattest"[2] 222.222.222.6:1 STATE_MAIN_R2 (sent MR2, expecting 
MI3); EVENT_RETRANSMIT in 3s
----------------------------------------------------------------------------------------------------------------------------------------

I think that could be caused by the ipsec backport.

+/* This defines the TYPE of Nat Traversal in use.  Currently only one
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
+ */

(It doesn't work also with the module compiled from openswan tarball)

----------------------------------------------------------------------------------------------------------------------------------------
[root at platoon log]# tail -f messages
Mar 29 11:01:38 platoon kernel: udp_encap_rcv(): Unhandled UDP encap type: 1
Mar 29 11:02:16 platoon last message repeated 7 times
----------------------------------------------------------------------------------------------------------------------------------------

Now ... is there a way to use/define the type of Nat-Traversal?

Thanks and regards.
Morgan



More information about the Users mailing list