[Openswan Users] NAT-T Help
Peter McGill
petermcgill at goco.net
Tue Nov 28 16:39:17 EST 2006
I'm running Openswan 2.4.6 on Kernel 2.4.31.
I have 7+ offices linked using Openswan (without NAT-T).
They work great.
I added a L2TP/IPSec server connection to our main one (without NAT-T).
Again it works fine.
I wanted to add NAT-T support to that server so that employee's can access from home networks.
I enabled NAT-T in ipsec.conf.
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172
.26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32
conn remote-client-to-london-office-server
rightsubnet=vhost:%no,%priv
I patched the kernel with the NAT-T patch.
cd /usr/src/linux-2.4.31; patch -p1 < openswan-2.4.6.kernel-2.4-natt.patch
(Enabled NAT-T in config, recompiled, installed the new kernel and rebooted).
Everything appeared to go alright.
NAT-T support appears to be compiled in, as I don't see this in the log anymore.
Nov 28 15:52:13 sheridan pluto[1746]: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
But now all my old office to office connections don't work.
They all get stuck on Main I1, initiating the connection (initiated from either end.)
But I don't see any error messages explaining what's wrong.
I checked my firewall logs (both ends) and it doesn't appear to be dropping anything.
Any suggestions?
I don't need to compile NAT-T on all the servers do I?
That would be a real chore to synchronize.
In the meantime I've reverted to my old kernel.
Peter McGill
More information about the Users
mailing list