[Openswan Users] UDP encapsulation in Suse 10 ?

Paul Wouters paul at xelerance.com
Sun Feb 12 17:39:28 CET 2006


On Sun, 12 Feb 2006, Pjothi wrote:

> Now I understand that racoon uses NETKEY and thats why it needs a
> patch, while Pluto does not.

I did not say that. I said KLIPS needs a patch, and NETKEY does not.
I have no idea whether Racoon needs any patch or not, but I assume it
does not when using NETKEY.

> ipsec.conf (nat_treversal yes) and ipsec.secrets (preshared key) and
> just started with rcipsec. For the moment I do not have a real NAT in
> between a host-host LAN scenario. So,I do get the SA
> established(host-host tunnel mode scenario) and I also see UDP
> encapsulated packets only during  SA establishment but further for
> example ping packets are not UDP encapsulated.

You are not seeing UDP encapsulated packets, but IKE packets. And then
you see ESP packets later on. A normal no-nat IPsec connection.

> So, I added a temporary
> NAT using IP tables and now even the SA establishment fails. So as you
> said this method uses KLIPS.

Did you enable NAT on a machine BETWEEN the two IPsec servers. Using
NAT on one of the endpoints is known to not work. That is independant
of KLIPS or NETKEY. And you are likely using NETKEY. Verify that with
"ipsec --version".

> 1. Why are not packets UDP encapsulated after SA establishment in
> absence of NAT ?

Because no NAT was detected. You can use forceencaps=yes to force a
connection to "detect a NAT".

> 2. Why does even SA establisment fails if I enable NAT using iptables ?

Because NAT+ipsec on the same machine is very tricky.

Paul


More information about the Users mailing list