[Openswan Users] newbie help - RHEL 3 behind NAT to SonicWall
Kimberly Knowles Nico
kimberly_nico at yahoo.com
Wed Feb 1 08:16:05 CET 2006
I am reluctant to go with a non-EL-blessed kernel, but for the heck of it I
attempted to build 2.4.5rc4. I am quite sure I need the NAT-T patch, because I
intend to use it behind a NATed router. But the patch failed.
[root at localhost src]# cd openswan-2.4.5rc4/
[root at localhost openswan-2.4.5rc4]# make nattpatch | (cd
/usr/src/linux-2.4.21-37.0.1.EL-openswan && patch -p1)
patching file include/net/sock.h
Hunk #1 FAILED at 488.
Hunk #2 succeeded at 658 with fuzz 1 (offset -3 lines).
1 out of 2 hunks FAILED -- saving rejects to file include/net/sock.h.rej
patching file net/Config.in
Hunk #1 succeeded at 119 (offset 31 lines).
patching file net/ipv4/udp.c
Hunk #1 succeeded at 976 with fuzz 2 (offset 189 lines).
Hunk #2 succeeded at 956 (offset 149 lines).
Hunk #3 FAILED at 1213.
1 out of 3 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej
I took a look at socket.h, and where the patch appears to want to apply itself
there is already a definition of the struct udp_opt.
Patch:
--- 488,500 ----
} bictcp;
};
+ #if 1
+ #define UDP_OPT_IN_SOCK 1
+ struct udp_opt {
+ __u32 esp_in_udp;
+ };
+ #endif
+
/*
* This structure really needs to be cleaned up.
* Most of it is for TCP, and not used by any of
sock.h:
struct udp_opt {
int pending; /* Any pending frames ? */
unsigned int corkflag; /* Cork is required */
__u16 encap_type; /* Is this an Encapsulation socket? */
/*
* Following members retains the infomation to create a UDP header
* when the socket is uncorked.
*/
u32 saddr; /* source address */
u32 daddr; /* destination address */
__u16 sport; /* source port */
__u16 dport; /* destination port */
__u16 len; /* total length of pending frames */
};
/*
* This structure really needs to be cleaned up.
* Most of it is for TCP, and not used by any of
This is from kernel source version 2.4.21-37.0.1.EL. Will there be an rpm
release of the latest openswan any time soon? I'm currently using
openswan-2.3.0-1rhel, which is the latest available in the binaries/rpms
directory for RHEL. I'm not at liberty to change the linux distribution, as it
is my company's preference to use RHEL.
-Kim.
--- Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 25 Jan 2006, Kimberly Knowles Nico wrote:
>
> > laptop RHEL 3, 192.168.2.2
> > |
> > Belkin router/firewall and cable modem performing NAT
> > (192.168.2.1, home network is 192.168.2/24)
> |
> > ipsec_setup: Starting Openswan IPsec 2.3.0...
>
> > 004 "vizdom" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0xd00553f0 <0x3e8b4af1 NATOA=0.0.0.0}
>
> Note the weird NATOA entry. Can you try and run openswan 2.4.5rcX and see if
> that fixes your nat problems?
>
> > [root at localhost kim]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> > 192.168.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE
>
> That should work.
>
> > 0.0.0.0 192.168.2.1 128.0.0.0 UG 0 0 0
> eth0
> > 128.0.0.0 192.168.2.1 128.0.0.0 UG 0 0 0
> eth0
> > 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0
> eth0
>
> You are also running Opportunistic Encryption? You might want to dsiable that
> by including /etc/ipsec.d/examples/no_oe.conf.
>
> Paul
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Users
mailing list