[Openswan Users] newbie help - RHEL 3 behind NAT to SonicWall

Kimberly Knowles Nico kimberly_nico at yahoo.com
Wed Feb 1 08:16:05 CET 2006 

I am reluctant to go with a non-EL-blessed kernel, but for the heck of it I
attempted to build 2.4.5rc4.  I am quite sure I need the NAT-T patch, because I
intend to use it behind a NATed router.  But the patch failed.

[root at localhost src]# cd openswan-2.4.5rc4/
[root at localhost openswan-2.4.5rc4]# make nattpatch | (cd
/usr/src/linux-2.4.21-37.0.1.EL-openswan && patch -p1)
patching file include/net/sock.h
Hunk #1 FAILED at 488.
Hunk #2 succeeded at 658 with fuzz 1 (offset -3 lines).
1 out of 2 hunks FAILED -- saving rejects to file include/net/sock.h.rej
patching file net/Config.in
Hunk #1 succeeded at 119 (offset 31 lines).
patching file net/ipv4/udp.c
Hunk #1 succeeded at 976 with fuzz 2 (offset 189 lines).
Hunk #2 succeeded at 956 (offset 149 lines).
Hunk #3 FAILED at 1213.
1 out of 3 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej

I took a look at socket.h, and where the patch appears to want to apply itself
there is already a definition of the struct udp_opt.

Patch:
--- 488,500 ----
  	} bictcp;
  };
  
+ #if 1
+ #define UDP_OPT_IN_SOCK 1
+ struct udp_opt {
+ 	__u32 esp_in_udp;
+ };
+ #endif
+ 
  /*
   * This structure really needs to be cleaned up.
   * Most of it is for TCP, and not used by any of

sock.h:
struct udp_opt {
	int		pending;	/* Any pending frames ? */
	unsigned int	corkflag;	/* Cork is required */
	__u16		encap_type;	/* Is this an Encapsulation socket? */
	/*
	 * Following members retains the infomation to create a UDP header
	 * when the socket is uncorked.
	 */
	u32		saddr;		/* source address */
	u32		daddr;		/* destination address */
	__u16		sport;		/* source port */
	__u16		dport;		/* destination port */
	__u16		len;		/* total length of pending frames */
};
 	
/*
 * This structure really needs to be cleaned up.
 * Most of it is for TCP, and not used by any of

This is from kernel source version 2.4.21-37.0.1.EL.  Will there be an rpm
release of the latest openswan any time soon?  I'm currently using
openswan-2.3.0-1rhel, which is the latest available in the binaries/rpms
directory for RHEL.  I'm not at liberty to change the linux distribution, as it
is my company's preference to use RHEL.

-Kim.

--- Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 25 Jan 2006, Kimberly Knowles Nico wrote:
> 
> > laptop RHEL 3, 192.168.2.2
> >       |
> > Belkin router/firewall and cable modem performing NAT
> >   (192.168.2.1, home network is 192.168.2/24)
>        |
> > ipsec_setup: Starting Openswan IPsec 2.3.0...
> 
> > 004 "vizdom" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0xd00553f0 <0x3e8b4af1 NATOA=0.0.0.0}
> 
> Note the weird NATOA entry. Can you try and run openswan 2.4.5rcX and see if
> that fixes your nat problems?
> 
> > [root at localhost kim]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> > 192.168.0.0/24 -d ! 10.1.1.0/24 -j MASQUERADE
> 
> That should work.
> 
> > 0.0.0.0         192.168.2.1     128.0.0.0       UG        0 0          0
> eth0
> > 128.0.0.0       192.168.2.1     128.0.0.0       UG        0 0          0
> eth0
> > 0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0
> eth0
> 
> You are also running Opportunistic Encryption? You might want to dsiable that
> by including /etc/ipsec.d/examples/no_oe.conf.
> 
> Paul
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list