[Openswan Users] One Way Traffic Flow?
Paul Wouters
paul at xelerance.com
Wed Feb 28 13:11:36 EST 2007
On Wed, 28 Feb 2007, Ben Batten wrote:
> When I tweaked the conn that way I end up with INVALID_ID_INFORMATION and
> INVALID_MESSAGE_ID errors. Guessing as you said that NATT is jacked up and
> probably on my 2.6.20.
Are you doing PSK and IP based authentication?
> > Make sure you're not nat'ing packets destined for an ipsec tunnel
>
> No, in fact I think your comment about broken NAT is applicable here. I was
> under the impression that the NATT kernel patch was not necessary when using
> netkey though (?).
It isn't. Don't apply if you are not going to use klips.
> We're working in this configuration with the 2.4.7 version in this instance
> with 2.4 kernels. I tried the 2.4.8rc1 release and the NATT patch failed
> with 2.6.20; I know the NATed side is working OK as I have another 2.4 box
> tunneling with it currently and it's working fine.
I don't think it is the network. I think it is the configuration issue
> > conn HostA-HostB
> > > left=HostBpublicIP
> > > leftnexthop=HostBPublicDefaultGW
> > > leftsubnet=HostB/32
> >
> > That is almost always wrong. If you really just want a tunnel for the
> > host, leave out the subnet. If you still get a message with some /32 not
> > known,
> > you probably misconfigured NAT-T.
Again, this is probably your problem. Remove the /32 and then fix the config
> Yeah, see comment above. My Linux 2.6.20 system appears to be the culprit.
I don't think so.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list