[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Thu Mar 23 23:06:29 CET 2006


On Thu, 23 Mar 2006, Oliver Tomkins wrote:

> 1) We're using the 2.6.15-1.1833_FC4 kernel.  Am I correct in thinking that
> the NAT-T patch is already applied to this kernel?

No. If you use NETKEY, then you do not need the NAT-T patch, as NETKEY has its
own nat-t capabilties build in. If you use KLIPS, you need the NAT-T patch.
KLIPS does not come with FC kernels.

> 2) As NAT-T is enabled globally in the ipsec.conf am I correct in thinking
> this will not have an effect on the clients connecting from non NAT sources.

It depends on your configuration. If you use nat_traversal=yes, the proper
virtual_private line, and use: rightsubnet=vhost:%no,%priv then it should
not influence you non-natted connections.

> 3) All our existing non NAT clients connect with type=transport which has
> security implications with NAT-T. Is this only for the clients connecting from
> behind a NAT router?

You will have major problems if you need to support l2tp/transport mode connections
from behind NAT. Particularly, users with the same NAT'ed IP address behind
different NAT routers, and having multiple roadwarriors behind the same NAT
router. We are working on fixing these issues, but we are still looking for
resources to help us complete this project. This is not supported in openswan-2.4.x

Paul


More information about the Users mailing list