[Openswan Users] NAT-T Help

Paul Wouters paul at xelerance.com
Wed Nov 29 19:20:22 EST 2006


On Tue, 28 Nov 2006, Peter McGill wrote:

> I'm running Openswan 2.4.6 on Kernel 2.4.31.
> I have 7+ offices linked using Openswan (without NAT-T).
> They work great.
> I added a L2TP/IPSec server connection to our main one (without NAT-T).
> Again it works fine.
>
> I wanted to add NAT-T support to that server so that employee's can access from home networks.
> I enabled NAT-T in ipsec.conf.
> config setup
>         nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172
> .26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32
>
> conn remote-client-to-london-office-server
>         rightsubnet=vhost:%no,%priv
>
> I patched the kernel with the NAT-T patch.
> cd /usr/src/linux-2.4.31; patch -p1 < openswan-2.4.6.kernel-2.4-natt.patch
> (Enabled NAT-T in config, recompiled, installed the new kernel and rebooted).
> Everything appeared to go alright.
> NAT-T support appears to be compiled in, as I don't see this in the log anymore.
> Nov 28 15:52:13 sheridan pluto[1746]: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
>
> But now all my old office to office connections don't work.
> They all get stuck on Main I1, initiating the connection (initiated from either end.)
> But I don't see any error messages explaining what's wrong.
> I checked my firewall logs (both ends) and it doesn't appear to be dropping anything.
>
> Any suggestions?

that should not happen. It seems there is a conflict in the connections??

> I don't need to compile NAT-T on all the servers do I?
> That would be a real chore to synchronize.

Can you give us an 'ipsec barf' when in that bad state?

Paul


More information about the Users mailing list