[Openswan Users] Clarification on Nat-t
tleslie at tcn.net
Mon Jun 5 00:37:39 CEST 2006
I am trying to get Nat-t working and have some questions, or more a need for confirmation.
Anyones help would be appreciated.
1) In the install instructions for openswan, with respect to NAT-T, it is under the KLIPS install
context. You can install the NAT-T patch and rebuild userland tools WITHOUT doing
the klips patch ?
1b) The Klips patch essentailly allow for a ipsec module, where as without it, you use the ipsec
built into the kernel, therefore thers is NO ipsec module (if not using klips)?
2) after i rebuild the 2.6.16+ kernel, ( i selected NAT_T... = y )
and make the user land tools, if I am not using klips, i just need to
make programs install i DON'T ? need to make modules and make minstall ? as
that is just for Klips?
3) i have a sucesful 2.4.5 openswan installed and a nat-t patched kernel and have it installed,
yet on the "ipsec verify" i see no indication of nat_t ? and i have nat_traversal=y
in my ipsec.conf, all restarted, but no mention in nat_t in the "ipsec verfiy",
i see some people claim there should be confirmation of nat-t in "ipsec verify"
4) I have read that NAT-T and ipsec-pass-through are incompatiable. In fact some one has gone as
far as to say that if ipsec passthrough is enables on a router (i.e. linksys), and you
use NAT-T, this will not work .. which i find odd, is this true?
if so, how can i selectively choose when a client would need to jump to NAT-T (udp-4500),
or be ok with ipsec-pass-through?
5) is there a way of forcing nat-t on even if its not necessary, for testing purpose?
6) is there some way to use auth=secret and use roadwarrior without having all same password?
Can't leftid/rightid identify the connection , or if the subnet was particular, isn't
that enough to identify the conection, or does one have to use x.509 certs for sure
More information about the Users