[Openswan Users] UDP encapsulation in Suse 10 ?

Pjothi pjothi at gmail.com
Sun Feb 12 07:01:15 CET 2006 

Now I understand that racoon uses NETKEY and thats why it needs a
patch, while Pluto does not. As Michael suggested I simply edited the
ipsec.conf (nat_treversal yes) and ipsec.secrets (preshared key) and
just started with rcipsec. For the moment I do not have a real NAT in
between a host-host LAN scenario. So,I do get the SA
established(host-host tunnel mode scenario) and I also see UDP
encapsulated packets only during  SA establishment but further for
example ping packets are not UDP encapsulated. So, I added a temporary
NAT using IP tables and now even the SA establishment fails. So as you
said this method uses KLIPS. This cleared one doubt of mine that why
is this method can use nat-traversal while racoon cannot. Because this
uses KLIPS and racoon uses NETKEY which requires a patch.

Now, I have to further investigage the following.

1. Why are not packets UDP encapsulated after SA establishment in
absence of NAT ?

2. Why does even SA establisment fails if I enable NAT using iptables ?

Many thanks Paul and others,
Pj

On 2/12/06, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 10 Feb 2006, Pjothi wrote:
>
> > I am successful in setting up IPSec with preshared keys (both
> > transport and tunnel ) using racoon between two Suse Linux 10
> > machines which uses openswan and comes pre-configured.
>
> You cannot be "using raccon which uses openswan". Both are IPsec keying
> daemons and you will be using either one or the other, not both at
> the same time. So I am not sure what you tried to get to work and what
> worked or not.
>
> > I would like to know if there is already UDP encapsualation capability
> > integrated with Freeswan implementation on Suse Linux ( kernel release
> > 2.6.13-15).
>
> There are two different IPsec kernel stacks, KLIPS and NETKY. KLIPS
> requires a kernel patch for nat-t, NETKEY does not. Racoon only works
> with NETKEY. The NETKEY is part of the stock 2.6 kernel, KLIPS is not.
>
> > Because the README files for NAT traversal says, I need to patch up
> > the kernel.
>
> Only if you want/need KLIPS. It is not needed when using racoon and
> NETKEY.
>
> Paul
>

More information about the Users mailing list