[Openswan Users]
NAT-T transport mode & virtual_private (repost - no HTML)
Gene Hand
ghand at pestructural.com
Mon Mar 29 15:51:33 CEST 2004
Ugh.. sorry about that.. thought my ISP's webmail used plaintext. Trying
again..
Hello all -
Time to stop lurking and jump in on the action. I've successfully installed
2.1.1 with NAT-T support and can connect from the MS L2TP client. Ran into
a few problems along the way though:
- When I first tried to connect through NAT, I got "NAT-Traversal: Transport
mode disabled due to security concerns". Finally tracked this down to the
USE_NAT_TRAVERSAL_TRANSPORT_MODE option in programs/pluto/Makefile which in
turn passes I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT. The
problem appears to be that Makefile.inc has
"USE_NAT_TRAVERSAL_TRANSPORT?=true" - note the missing "_MODE" at the end.
Added it on, recompiled, and all was well for me. Just checked CVS and it
looks like this is now set to false by default but is still missing the
little bit at the end there.
- I was also trying to use the virtual_private directive as documented in
Mathieu's patch. This had worked for me before with super freeswan but now
if I try to use
"virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!19
2.168.1.0/24", I get "3 bad entries in virtual_private - none loaded". If I
only use one at a time, ie "virtual_private=%v4:10.0.0.0/8" it doesn't
complain, but I can't seem to get any more than that. For now I've just
setup separate entries with a rightsubnetwithin parameter for each private
subnet. There's a probably a better way to do it but that's working for me
at the moment.. anyone else run into this?
I'm also having the pluto coredump problem with a CRL but it looks like
that's already been discussed so I'll just do without a CRL for now. :)
Think that's it! Let me know if you want additional info/complete
configs/etc. Thanks.
More information about the Users
mailing list