[Openswan Users] RHEL4 U3 with NAT-T...

Paul Wouters paul at xelerance.com
Tue Mar 14 17:30:05 CET 2006


On Tue, 14 Mar 2006, Nicole Haehnel wrote:

> I'm using RHEL4 with kernel 2.6.9-22.0.2.EL, openswan 2.4.4 and nat-t patch.
> I also use IPSec Dial Client from SafeNet behind a router, so I need nat-t.
> It worked fine. But now with the new kernel 2.6.9-34.EL, I get errors:

You should only apply the nat-t patch when using KLIPS. Are you using
KLIPS or NETKEY>

> kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
> kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
> kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
> kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
> kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
> kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
>
> I used openswan-2.4.4.kernel-2.6-natt.patch.gz
> </download/openswan-2.4.4.kernel-2.6-natt.patch.gz> tp patch the new kernel
> and rebuild it.
> .config is changed to CONFIG_IPSEC_NAT_TRAVERSAL=y is enabled in my .config.

I have never seen this. And as far as I know the nat-t patch for KLIPS
should not interfere with the nat-t capability of NETKEY. Which stack are
you using? And what happens if you try the "lsipsectool" from sourceforge
that uses the Microsoft Windows native IPsec stack? Perhaps this is a client
incompatibility?

Paul


More information about the Users mailing list