[Openswan Users] NAT-T

Paul Wouters paul at xelerance.com
Fri Mar 24 01:56:24 CET 2006 

On Thu, 23 Mar 2006, ted leslie wrote:

> are you saying if use the Klips patch you MUST also install the NAT-T patch?
> they always go hand in hand?

If you want to support connections from roadwarriors behind a NAT router, yes.

> i thought the Klips patch was just to get back the ipsec## interfaces,

KLIPS is an IPsec stack, not just a virtual interface.

> and be able to do some NAT'ing between interfaces, that was a bit harder or impossible
> to do without the Klips, but that doesn;t (shouldn't) tie it to NAT-T ? should it?

You can do NAT between interfaces fine. But roadwarriors behind a NAT router
use ESPinUDP encapsulation. That is what the NAT-T patch provides for KLIPS.

Paul

> On Thu, 23 Mar 2006 23:06:29 +0100 (CET)
> Paul Wouters <paul at xelerance.com> wrote:
>
> > On Thu, 23 Mar 2006, Oliver Tomkins wrote:
> >
> > > 1) We're using the 2.6.15-1.1833_FC4 kernel.  Am I correct in thinking that
> > > the NAT-T patch is already applied to this kernel?
> >
> > No. If you use NETKEY, then you do not need the NAT-T patch, as NETKEY has its
> > own nat-t capabilties build in. If you use KLIPS, you need the NAT-T patch.
> > KLIPS does not come with FC kernels.
> >
> > > 2) As NAT-T is enabled globally in the ipsec.conf am I correct in thinking
> > > this will not have an effect on the clients connecting from non NAT sources.
> >
> > It depends on your configuration. If you use nat_traversal=yes, the proper
> > virtual_private line, and use: rightsubnet=vhost:%no,%priv then it should
> > not influence you non-natted connections.
> >
> > > 3) All our existing non NAT clients connect with type=transport which has
> > > security implications with NAT-T. Is this only for the clients connecting from
> > > behind a NAT router?
> >
> > You will have major problems if you need to support l2tp/transport mode connections
> > from behind NAT. Particularly, users with the same NAT'ed IP address behind
> > different NAT routers, and having multiple roadwarriors behind the same NAT
> > router. We are working on fixing these issues, but we are still looking for
> > resources to help us complete this project. This is not supported in openswan-2.4.x
> >
> > Paul
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list