[Openswan Users] Clarification on Nat-t

Christian Brechbühler brechbuehler at gmail.com
Mon Jun 5 11:13:44 CEST 2006 

On 6/4/06, ted leslie <tleslie at tcn.net> wrote:
>
> 3) i have a sucesful 2.4.5 openswan installed and a nat-t patched kernel
> and have it installed,
>         yet on the "ipsec verify" i see no indication of nat_t ? and i
> have nat_traversal=y
>         in my ipsec.conf, all restarted, but no mention in nat_t in the
> "ipsec verfiy",
>         i see some people claim there should be confirmation of nat-t in
> "ipsec verify"


Here's what I get -- it only mentions NAT.  I am a version behind, but
probably it looks similar:

Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.4/K2.6.9-1.11_FC2 (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support                                [DISABLED]
>

BTW, the "multiple interfaces" check is a bit off.  Yes, I have two (and
forwarding enabled), but one of them is just the cable to my printer, and
has nothing to do with IPSEC.

4) I have read that  NAT-T and ipsec-pass-through are incompatiable. In fact
> some one has gone as
>         far as to say that if ipsec passthrough is enables on a router (
> i.e. linksys), and you
>         use NAT-T, this will not work .. which i find odd, is this true?


I read here that passthrough in itself is utterly broken, and any rougter
doing it should be thrown in the trash.

6) is there some way to use auth=secret and use roadwarrior without having
> all same password?
>         Can't leftid/rightid identify the connection , or if the subnet
> was particular, isn't
>         that enough  to identify the conection, or does one have to use
> x.509 certs for sure
>         with roadwarrior.


I'd go for x.509.  It's easier to get working initially, AND it's safer.

Just my 2 cents.
/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060605/9c0c02ae/attachment-0001.htm

More information about the Users mailing list