[Openswan Users]

[Paul Wouters]

On Wed, 30 Nov 2005, sasa wrote:

> ..my questions is derive from installation then I have doing on FC3 with
> kernel 2.6.9_1.667
> On this machine I have created the rpm file installation (alway for to use
> openswan/klips) in this mode:
>
> #rpm -e ipsec-tools
> #rmmod af_key
> #rmmod esp4
> #rmmod ipcomp
> #rpm -ivh kernel-2.6.12-1.1381_FC3_src.rpm
> #tar zxvf /usr/src/redhat/SOURCES/openswan-2.4.4.tar.gz
> #cd /usr/src/redhat/SOURCES/openswan-2.4.4/packing/redhat
> # rpmbuild -bb openswan.spec --define 'buildklips 1' --define 'kversion
> 2.6.9-1.667'

> openswan-2.4.4-1.i386.rpm
> openswan-doc-2.4.4-1.i386.rpm
> openswan-klips-2.4.4-2.6.9_1.667_1.i386.rpm

This gives you openswan-klips without nat-t support.

> ..I have installed openswan with this files and now I have:
>
> Nov 30 11:59:46 fw1 ipsec__plutorun: Starting Pluto subsystem...
> Nov 30 11:59:46 fw1 pluto[4858]: Starting Pluto (Openswan Version 2.4.4
> X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
> Nov 30 11:59:46 fw1 pluto[4858]: Setting NAT-Traversal port-4500 floating to
> on
> Nov 30 11:59:46 fw1 pluto[4858]:    port floating activation criteria
> nat_t=1/port_fload=1
> Nov 30 11:59:46 fw1 pluto[4858]:   including NAT-Traversal patch (Version
> 0.6c)

This means nat-t is detected.

> ..therefore I can to use klips and nat-t ?? in this mode I dont'have installed
> nat-t patch !

Run 'ipsec --version'. Does it say it is using klips or netkey? My guess is that
klips did not load. For instance, this could happen because you compiled klips
for 2.6.9-1.667 but you are running a different kernel (another version or perhaps
the smp version of 2.6.9-1.667)

I think you are not using what you think you are.

Paul