[Openswan Users] NAT-T

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Fri Mar 24 14:52:19 CET 2006


As ever thanks very much for your help.

I added

nat_traversal=yes, virtual_private line, rightsubnet=vhost:%no,%priv to 
the ipsec.conf and opened port 4500 on the firewall.

The client machine appears to connect fine - the client can browse the 
network etc,

However when I'm packet sniffing on the firewall I only see UDP traffic 
rather the ESP traffic that I normally see with our non-nat clients?

Am I missing something obvious here?

Thanks,

Olly.



Paul Wouters wrote:
> On Thu, 23 Mar 2006, Oliver Tomkins wrote:
> 
>> 1) We're using the 2.6.15-1.1833_FC4 kernel.  Am I correct in thinking that
>> the NAT-T patch is already applied to this kernel?
> 
> No. If you use NETKEY, then you do not need the NAT-T patch, as NETKEY has its
> own nat-t capabilties build in. If you use KLIPS, you need the NAT-T patch.
> KLIPS does not come with FC kernels.
> 
>> 2) As NAT-T is enabled globally in the ipsec.conf am I correct in thinking
>> this will not have an effect on the clients connecting from non NAT sources.
> 
> It depends on your configuration. If you use nat_traversal=yes, the proper
> virtual_private line, and use: rightsubnet=vhost:%no,%priv then it should
> not influence you non-natted connections.
> 
>> 3) All our existing non NAT clients connect with type=transport which has
>> security implications with NAT-T. Is this only for the clients connecting from
>> behind a NAT router?
> 
> You will have major problems if you need to support l2tp/transport mode connections
> from behind NAT. Particularly, users with the same NAT'ed IP address behind
> different NAT routers, and having multiple roadwarriors behind the same NAT
> router. We are working on fixing these issues, but we are still looking for
> resources to help us complete this project. This is not supported in openswan-2.4.x
> 
> Paul
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk


More information about the Users mailing list