[Openswan Users] red hat enterprise and nat-traversal

Morgan Marodin mmarodin at develon.com
Wed Mar 31 17:26:20 CEST 2004


Hi.

Now it's all ok!
My red hat enterprise linux ES now works fine with Nat-t and ipsec backport.

The problems were:
- a configuration of certs :)
- the _updown_script for the connection

Thanks to Paul and Ken for previous suggestions.
Morgan

At 17.42 29/03/2004, Morgan Marodin wrote:
>Hi!
>
>Now disabling OE my red hat works!
>With ipsec backport of the red hat kernel and also with the compiled 
>module of openswan (but using this I have to add manually the route to the 
>rightsubnet via dev ipsec0).
>
>Ok. Now ... the next step: Nat-T.
>
>I have configured my gw to work with this option + certs and at the other 
>side a win client in the same way of an "old" my freeswan installation.
>But ... it doesn't work.
>
>----------------------------------------------------------------------------------------------------------------------------------------
>[root at platoon etc]# ipsec auto --status
>000 interface lo/lo 127.0.0.1
>000 interface lo/lo 127.0.0.1
>000 interface eth0/eth0 111.111.111.35
>000 interface eth0/eth0 111.111.111.35
>000 interface eth1/eth1 192.168.100.1
>000 interface eth1/eth1 192.168.100.1
>000 %myid = (none)
>000 debug none
>000
>000 "nattest": 192.168.100.0/24===111.111.111.35[C=IT, ST=Vxxx, O=Dxxx, 
>CN=name]...%any[C=IT, ST=Vxxx, O=Dxxx, CN=Mario Rossi, 
>E=mrossi at Dxxx.com]===192.168.2.0/24; unrouted; eroute owner: #0
>000 "nattest":   CAs: 'C=IT, ST=Vxxx, L=Axxxxx, O=Dxxx, 
>CN=ca.Dxxx.com'...'%any'
>000 "nattest":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
>rekey_fuzz: 100%; keyingtries: 0
>000 "nattest":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; 
>interface: eth0;
>000 "nattest":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>000 "nattest"[2]: 192.168.100.0/24===111.111.111.35[C=IT, ST=Vxxx, O=Dxxx, 
>CN=name]...222.222.222.6:1[C=IT, ST=Vxxx, O=Dxxx, CN=Mario Rossi, 
>E=mrossi at Dxxx.com]===192.168.2.0/24; unrouted; eroute owner: #0
>000 "nattest"[2]:   CAs: 'C=IT, ST=Vxxx, L=Axxxxx, O=Dxxx, 
>CN=ca.Dxxx.com'...'%any'
>000 "nattest"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
>540s; rekey_fuzz: 100%; keyingtries: 0
>000 "nattest"[2]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; 
>interface: eth0;
>000 "nattest"[2]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
>000
>000 #2: "nattest"[2] 222.222.222.6:1 STATE_MAIN_R2 (sent MR2, expecting 
>MI3); EVENT_RETRANSMIT in 3s
>----------------------------------------------------------------------------------------------------------------------------------------
>
>I think that could be caused by the ipsec backport.
>
>+/* This defines the TYPE of Nat Traversal in use.  Currently only one
>+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
>+ */
>
>(It doesn't work also with the module compiled from openswan tarball)
>
>----------------------------------------------------------------------------------------------------------------------------------------
>[root at platoon log]# tail -f messages
>Mar 29 11:01:38 platoon kernel: udp_encap_rcv(): Unhandled UDP encap type: 1
>Mar 29 11:02:16 platoon last message repeated 7 times
>----------------------------------------------------------------------------------------------------------------------------------------
>
>Now ... is there a way to use/define the type of Nat-Traversal?
>
>Thanks and regards.
>Morgan
>
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users



More information about the Users mailing list