[Openswan Users] Clarification on Nat-t

ted leslie tleslie at tcn.net
Mon Jun 5 00:37:39 CEST 2006


I am trying to get Nat-t working and have some questions, or more a need for confirmation.
Anyones help would be appreciated.

1) In the install instructions for openswan, with respect to NAT-T, it is under the KLIPS install
	context. You can install the NAT-T patch and rebuild userland tools WITHOUT doing
	the klips patch ?

1b) The Klips patch essentailly allow for a ipsec module, where as without it, you use the ipsec
	built into the kernel, therefore thers is NO ipsec module (if not using klips)?

2) after i rebuild the 2.6.16+ kernel, ( i selected NAT_T... = y )
	and make the user land tools, if I am not using klips, i just need to 
	make programs install    i DON'T ? need to make modules and make minstall ? as 
	that is just for  Klips?

3) i have a sucesful 2.4.5 openswan installed and a nat-t patched kernel and have it installed,
	yet on the "ipsec verify" i see no indication of nat_t ? and i have nat_traversal=y
	in my ipsec.conf, all restarted, but no mention in nat_t in the "ipsec verfiy",
	i see some people claim there should be confirmation of nat-t in "ipsec verify" 

4) I have read that  NAT-T and ipsec-pass-through are incompatiable. In fact some one has gone as
	far as to say that if ipsec passthrough is enables on a router (i.e. linksys), and you
	use NAT-T, this will not work .. which i find odd, is this true?
	if so, how can  i selectively choose when a client would need to jump to NAT-T (udp-4500),
	or be ok with ipsec-pass-through?

5) is there a way of forcing nat-t on even if its not necessary, for testing purpose?

6) is there some way to use auth=secret and use roadwarrior without having all same password?
	Can't leftid/rightid identify the connection , or if the subnet was particular, isn't
	that enough  to identify the conection, or does one have to use x.509 certs for sure
	with roadwarrior.

Thanks,

-tl


More information about the Users mailing list