[Openswan Users] NAT-T disabled

Magnus Hyllander mhypub1 at hyllander.org
Thu May 27 03:59:04 CEST 2004


Hi,

I'm trying out Openswan for the first time after using Super FreeS/WAN
successfully in the past. I'm running Red Hat Linux 9, with kernel
2.4.20-31.9. I have compiled a new custom kernel  with openswan 2.1.2,
according to the instructions in the README file. I patch the kernel
with the NAT-T patch, the build goes well, and I can boot the kernel
without problems. But, in /var/log/messages I see a couple of warning
and error messages:

May 27 02:01:07 fleming ipsec: ipsec_setup: WARNING: changing route
filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from
1 to 0)
May 27 02:01:09 fleming ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1)
not supported by kernel -- NAT-T disabled

Below is the output of "ipsec verify":

[root at fleming mhy]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan 2.1.2 (klips)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: fleming
[MISSING]
   Does the machine have at least one non-private address?              [OK]
   Looking for TXT in reverse dns zone: z.y.x.w.in-addr.arpa.    [MISSING]

Below are the Openswan startup messages from /var/log/secure:

May 27 02:01:07 fleming pluto[2456]: Starting Pluto (Openswan Version
2.1.2 X.509-1.4.8 PLUTO_USES_KEYRR)
May 27 02:01:07 fleming pluto[2456]:   including NAT-Traversal patch
(Version 0.6c)
May 27 02:01:08 fleming pluto[2456]: Using KLIPS IPsec interface code
May 27 02:01:08 fleming pluto[2456]: Changing to directory
'/etc/ipsec.d/cacerts'
May 27 02:01:08 fleming pluto[2456]:   loaded cacert file 'cacert.pem'
(8301 bytes)
May 27 02:01:08 fleming pluto[2456]: Changing to directory
'/etc/ipsec.d/crls'
May 27 02:01:08 fleming pluto[2456]:   loaded crl file 'crl.pem' (1036
bytes)
May 27 02:01:09 fleming pluto[2456]:   loaded host cert file
'/etc/ipsec.d/certs/fleming.cert.pem' (6355 bytes)
May 27 02:01:09 fleming pluto[2456]: added connection description
"jac0027p-loc"
May 27 02:01:09 fleming pluto[2456]:   loaded host cert file
'/etc/ipsec.d/certs/fleming.cert.pem' (6355 bytes)
May 27 02:01:09 fleming pluto[2456]: added connection description
"jac0027p-gw"
May 27 02:01:09 fleming pluto[2456]: listening for IKE messages
May 27 02:01:09 fleming pluto[2456]: NAT-Traversal: ESPINUDP(1) not
supported by kernel -- NAT-T disabled
May 27 02:01:09 fleming pluto[2456]: adding interface ipsec0/eth0 w.x.y.z
May 27 02:01:09 fleming pluto[2456]: loading secrets from
"/etc/ipsec.secrets"
May 27 02:01:09 fleming pluto[2456]:   loaded private key file
'/etc/ipsec.d/private/fleming.key.pem' (1743 bytes)

Any ideas what is going wrong here? What does the warning about route
filtering mean, and why doesn't the kernel support ESPINUDP?

Thanks!

/Magnus





More information about the Users mailing list