[Openswan Users] NAT-T Help
paul at xelerance.com
Wed Nov 29 19:20:22 EST 2006
On Tue, 28 Nov 2006, Peter McGill wrote:
> I'm running Openswan 2.4.6 on Kernel 2.4.31.
> I have 7+ offices linked using Openswan (without NAT-T).
> They work great.
> I added a L2TP/IPSec server connection to our main one (without NAT-T).
> Again it works fine.
> I wanted to add NAT-T support to that server so that employee's can access from home networks.
> I enabled NAT-T in ipsec.conf.
> config setup
> conn remote-client-to-london-office-server
> I patched the kernel with the NAT-T patch.
> cd /usr/src/linux-2.4.31; patch -p1 < openswan-2.4.6.kernel-2.4-natt.patch
> (Enabled NAT-T in config, recompiled, installed the new kernel and rebooted).
> Everything appeared to go alright.
> NAT-T support appears to be compiled in, as I don't see this in the log anymore.
> Nov 28 15:52:13 sheridan pluto: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4
> But now all my old office to office connections don't work.
> They all get stuck on Main I1, initiating the connection (initiated from either end.)
> But I don't see any error messages explaining what's wrong.
> I checked my firewall logs (both ends) and it doesn't appear to be dropping anything.
> Any suggestions?
that should not happen. It seems there is a conflict in the connections??
> I don't need to compile NAT-T on all the servers do I?
> That would be a real chore to synchronize.
Can you give us an 'ipsec barf' when in that bad state?
More information about the Users