[Openswan Users] NAT-T in native stack??

Paul Wouters paul at xelerance.com
Tue May 18 22:07:25 CEST 2004


On Tue, 18 May 2004, Rene Mayrhofer wrote:

> > USE_NAT_TRAVERSAL_TRANSPORT_MODE?=true
> > 
> > in Makefile.inc. Note the _MODE part, which was missing in previous versions,
> > and might still be missing in 2.1.1. (It is fixed in cvs)
> > This is neccessary for WinXP/2K
> Ok, added this to Makefile.inc.
> 
> > For the native stack, also apply the fix from Nate that changed a test -d
> > to a test -f for /proc/modules in _startklips.
> I did that for the Debian package, along with the CRL crash fix.
> 
> Since all issues now seem to be fixed, would it be possible to enable 
> NAT-T by default in the upstream config file ? I could of course patch 
> the config file for the Debian package, but I would rather like to have 
> as few Debian-specific patches as possible.

The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it
was causing problems in the implementation, but that as a feature, it is
a security risk. Openswan tends to package with all dangerious options
disabled, leaving them open for the (hopefully somewhat cluefull) user
to enable. One such example is 1DES. NAT-traversal in transport mode also
has security implications. That is why it is disabled.

I will leave it up to Michael wether or not to change the current behaviour.

Paul 



More information about the Users mailing list