[Openswan Users] cannot respond to IPsec SA request
Jacco de Leeuw
jacco2 at dds.nl
Tue Mar 21 17:28:21 CET 2006
Remko Muis wrote:
>> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch
>
> That has been taken care of:
> Mar 21 16:06:32 Marnix pluto[27184]: including NAT-Traversal patch
> (Version 0.6c)
The patch for NATed servers in transport mode has not been included in
the Mathieu Lafon's NAT-T patch or in Openswan. So that log message is
not an indication that it is included. You need to add that patch
yourself and recompile Openswan.
>> The NAT-T patch does not support this for PSKs. You may need to
>> switch to certificates.
>
> Ah, that fills a gap in my knowledge. But changing to
> right=192.168.2.100
> rightsubnet=192.168.2.0/24
> rightnexthop=192.168.2.1
> gives:
I'm not sure if this will work either. What I meant to say is that
that conn section will probably be rejected. Check out the startup
log messages of Openswan.
> I will definitely switch to certificates sometime, but for now I have to
> stick to PSKs.
Does it work when there is no NAT?
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list