[Openswan Users] NAT-T disabled
Magnus Hyllander
mhypub1 at hyllander.org
Thu May 27 03:59:04 CEST 2004
Hi,
I'm trying out Openswan for the first time after using Super FreeS/WAN
successfully in the past. I'm running Red Hat Linux 9, with kernel
2.4.20-31.9. I have compiled a new custom kernel with openswan 2.1.2,
according to the instructions in the README file. I patch the kernel
with the NAT-T patch, the build goes well, and I can boot the kernel
without problems. But, in /var/log/messages I see a couple of warning
and error messages:
May 27 02:01:07 fleming ipsec: ipsec_setup: WARNING: changing route
filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from
1 to 0)
May 27 02:01:09 fleming ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1)
not supported by kernel -- NAT-T disabled
Below is the output of "ipsec verify":
[root at fleming mhy]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.1.2 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: fleming
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: z.y.x.w.in-addr.arpa. [MISSING]
Below are the Openswan startup messages from /var/log/secure:
May 27 02:01:07 fleming pluto[2456]: Starting Pluto (Openswan Version
2.1.2 X.509-1.4.8 PLUTO_USES_KEYRR)
May 27 02:01:07 fleming pluto[2456]: including NAT-Traversal patch
(Version 0.6c)
May 27 02:01:08 fleming pluto[2456]: Using KLIPS IPsec interface code
May 27 02:01:08 fleming pluto[2456]: Changing to directory
'/etc/ipsec.d/cacerts'
May 27 02:01:08 fleming pluto[2456]: loaded cacert file 'cacert.pem'
(8301 bytes)
May 27 02:01:08 fleming pluto[2456]: Changing to directory
'/etc/ipsec.d/crls'
May 27 02:01:08 fleming pluto[2456]: loaded crl file 'crl.pem' (1036
bytes)
May 27 02:01:09 fleming pluto[2456]: loaded host cert file
'/etc/ipsec.d/certs/fleming.cert.pem' (6355 bytes)
May 27 02:01:09 fleming pluto[2456]: added connection description
"jac0027p-loc"
May 27 02:01:09 fleming pluto[2456]: loaded host cert file
'/etc/ipsec.d/certs/fleming.cert.pem' (6355 bytes)
May 27 02:01:09 fleming pluto[2456]: added connection description
"jac0027p-gw"
May 27 02:01:09 fleming pluto[2456]: listening for IKE messages
May 27 02:01:09 fleming pluto[2456]: NAT-Traversal: ESPINUDP(1) not
supported by kernel -- NAT-T disabled
May 27 02:01:09 fleming pluto[2456]: adding interface ipsec0/eth0 w.x.y.z
May 27 02:01:09 fleming pluto[2456]: loading secrets from
"/etc/ipsec.secrets"
May 27 02:01:09 fleming pluto[2456]: loaded private key file
'/etc/ipsec.d/private/fleming.key.pem' (1743 bytes)
Any ideas what is going wrong here? What does the warning about route
filtering mean, and why doesn't the kernel support ESPINUDP?
Thanks!
/Magnus
More information about the Users
mailing list