[Openswan Users] manual keying and NAT-Traversal

Paul Wouters paul at xelerance.com
Mon Jun 2 12:13:54 EDT 2008


On Mon, 2 Jun 2008, nooroon wrote:

> I didn't find any config which uses both manual keying and NAT-Traversal.
> In fact, I did not try yet, but I was wondering if it's possible with
> openswan, since the NAT-Traversal RFC specify that it has to be negotiated
> in IKE phase 1. And of course, with manual keying, IKE is not used anymore.
>
> Does someone try this config?

manual keying is "do not use IKE". So yes, this would not be possible.

>From the (new) man page entry:

	CONN PARAMETERS:  MANUAL KEYING

	This command was obsoleted around the same time that Al Gore invented the
	internet. ipsec manual was used in the jurassic period to load static
	keys into the kernel. There are no rational reasons to use this, and
	it is not supported anymore. If you need to create static SAs, then you
	can use ipsec spi and ipsec eroute

	No rational person uses static keys. They are not easier to use.
	REPEAT: they are not easier to use.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list