[Openswan Users] cannot respond to IPsec SA request

Jacco de Leeuw jacco2 at dds.nl
Tue Mar 21 17:28:21 CET 2006

Remko Muis wrote:

>> http://www.jacco2.dds.nl/networking/patches/openswan-2.3.1-NATserver.patch 
> That has been taken care of:
> Mar 21 16:06:32 Marnix pluto[27184]:   including NAT-Traversal patch 
> (Version 0.6c)

The patch for NATed servers in transport mode has not been included in
the Mathieu Lafon's NAT-T patch or in Openswan. So that log message is
not an indication that it is included. You need to add that patch
yourself and recompile Openswan.

>> The NAT-T patch does not support this for PSKs. You may need to
>> switch to certificates.
> Ah, that fills a gap in my knowledge. But changing to
>    right=
>    rightsubnet=
>    rightnexthop=
> gives:

I'm not sure if this will work either. What I meant to say is that
that conn section will probably be rejected. Check out the startup
log messages of Openswan.

> I will definitely switch to certificates sometime, but for now I have to 
> stick to PSKs.

Does it work when there is no NAT?

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list