[Openswan Users] NAT-T Help

Peter McGill petermcgill at goco.net
Fri Dec 1 12:48:58 EST 2006 

On Nov 29, 2006, Paul Wouters wrote:
> On Tue, 28 Nov 2006, Peter McGill wrote:
> 
> > I'm running Openswan 2.4.6 on Kernel 2.4.31.
> > I have 7+ offices linked using Openswan (without NAT-T).
> > They work great.
> > I added a L2TP/IPSec server connection to our main one 
> (without NAT-T).
> > Again it works fine.
> >
> > I wanted to add NAT-T support to that server so that 
> employee's can access from home networks.
> > I enabled NAT-T in ipsec.conf.
> > config setup
> >         nat_traversal=yes
> >
> > 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0
.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%> v4:!172
> > .26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32
> >
> > conn remote-client-to-london-office-server
> >         rightsubnet=vhost:%no,%priv
> >
> > I patched the kernel with the NAT-T patch.
> > cd /usr/src/linux-2.4.31; patch -p1 < 
> openswan-2.4.6.kernel-2.4-natt.patch
> > (Enabled NAT-T in config, recompiled, installed the new 
> kernel and rebooted).
> > Everything appeared to go alright.
> > NAT-T support appears to be compiled in, as I don't see 
> this in the log anymore.
> > Nov 28 15:52:13 sheridan pluto[1746]: NAT-Traversal: 
> ESPINUDP(1) not supported by kernel for family IPv4
> >
> > But now all my old office to office connections don't work.
> > They all get stuck on Main I1, initiating the connection 
> (initiated from either end.)
> > But I don't see any error messages explaining what's wrong.
> > I checked my firewall logs (both ends) and it doesn't 
> appear to be dropping anything.
> >
> > Any suggestions?
> 
> that should not happen. It seems there is a conflict in the 
> connections??
> 
> > I don't need to compile NAT-T on all the servers do I?
> > That would be a real chore to synchronize.
> 
> Can you give us an 'ipsec barf' when in that bad state?

I attached the barf output.
ipsec barf > natt_barf.txt 2>&1

I looked it over before sending this, but didn't see anything
That stood out to me. Thanks for looking into this.

Should I try upgrading to Openswan 2.4.7, does it work alright
With 2.4.x kernels, I read somewhere that there might be a problem,
Otherwise I would have upgraded before asking for help?

Peter
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: natt_barf.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20061201/7d5cd9c4/attachment-0001.txt

More information about the Users mailing list