[Openswan Users] NAT-T in native stack??
Paul Wouters
paul at xelerance.com
Tue May 18 22:07:25 CEST 2004
On Tue, 18 May 2004, Rene Mayrhofer wrote:
> > USE_NAT_TRAVERSAL_TRANSPORT_MODE?=true
> >
> > in Makefile.inc. Note the _MODE part, which was missing in previous versions,
> > and might still be missing in 2.1.1. (It is fixed in cvs)
> > This is neccessary for WinXP/2K
> Ok, added this to Makefile.inc.
>
> > For the native stack, also apply the fix from Nate that changed a test -d
> > to a test -f for /proc/modules in _startklips.
> I did that for the Debian package, along with the CRL crash fix.
>
> Since all issues now seem to be fixed, would it be possible to enable
> NAT-T by default in the upstream config file ? I could of course patch
> the config file for the Debian package, but I would rather like to have
> as few Debian-specific patches as possible.
The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it
was causing problems in the implementation, but that as a feature, it is
a security risk. Openswan tends to package with all dangerious options
disabled, leaving them open for the (hopefully somewhat cluefull) user
to enable. One such example is 1DES. NAT-traversal in transport mode also
has security implications. That is why it is disabled.
I will leave it up to Michael wether or not to change the current behaviour.
Paul
More information about the Users
mailing list