[Openswan Users] NAT-T

ted leslie tleslie at tcn.net
Thu Mar 23 17:45:11 CET 2006 

are you saying if use the Klips patch you MUST also install the NAT-T patch?
they always go hand in hand?

i thought the Klips patch was just to get back the ipsec## interfaces,
and be able to do some NAT'ing between interfaces, that was a bit harder or impossible
to do without the Klips, but that doesn;t (shouldn't) tie it to NAT-T ? should it?

-tl


On Thu, 23 Mar 2006 23:06:29 +0100 (CET)
Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 23 Mar 2006, Oliver Tomkins wrote:
> 
> > 1) We're using the 2.6.15-1.1833_FC4 kernel.  Am I correct in thinking that
> > the NAT-T patch is already applied to this kernel?
> 
> No. If you use NETKEY, then you do not need the NAT-T patch, as NETKEY has its
> own nat-t capabilties build in. If you use KLIPS, you need the NAT-T patch.
> KLIPS does not come with FC kernels.
> 
> > 2) As NAT-T is enabled globally in the ipsec.conf am I correct in thinking
> > this will not have an effect on the clients connecting from non NAT sources.
> 
> It depends on your configuration. If you use nat_traversal=yes, the proper
> virtual_private line, and use: rightsubnet=vhost:%no,%priv then it should
> not influence you non-natted connections.
> 
> > 3) All our existing non NAT clients connect with type=transport which has
> > security implications with NAT-T. Is this only for the clients connecting from
> > behind a NAT router?
> 
> You will have major problems if you need to support l2tp/transport mode connections
> from behind NAT. Particularly, users with the same NAT'ed IP address behind
> different NAT routers, and having multiple roadwarriors behind the same NAT
> router. We are working on fixing these issues, but we are still looking for
> resources to help us complete this project. This is not supported in openswan-2.4.x
> 
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list