[Openswan Users] First time setup common questions

Richard Michael rmichael-openswan at edgeofthenet.org
Sun Jun 15 21:28:09 EDT 2008

Hi list,

I'm afraid I'm about to ask questions that are probably posted every
week, but I don't see the answers already on the list, nor in an updated
FAQ anywhere.  (If they're out there, just point me to them please.)


I'm planning on migrating a VPN setup to openswan with xl2tpd (using
Fedora 9 for convenience).  This means (currently) kernel, but
with Fedora patches.

The server is behind a NAT'd router on a garden variety broadband
connection.  I don't see CONFIG_IPSEC_NAT_TRAVERSAL in /boot/config*
files; so I assume the patch isn't merged mainline yet, nor has Fedora
done the work for me.  Do I need to patch this kernel?

If so, I obviously want to track security kernel updates from the distro
and would like to avoid building a new kernel every time.  Is the NAT-T
stuff a module by any chance?  What's the minimal work solution here?
(2.6.25 updates are frequent.)

Since F9 ships with openswan 2.6.09, I intend to build openswan 2.6.14.
Any pitfalls of which I should be aware?

Why would I choose KLIPS instead of NETKEY (or vice versa)?  Note that
prior experience is not a factor for me, as I'll be new to either.

Reading the mailing list, one post mentions PSK doesn't work well with
NAT-T clients and I should use x.509 certs.  Is that still the case?

Can I use PAM or some other currently existing auth scheme instead of
chap-secrets?  (I suppose this is an xl2tpd question, but any advice?
This would be the deal breaker, because I'm trying to avoid foo-secret
plaintext password files.)

Am I way off base on any of these issues and/or my questions nonsense?



More information about the Users mailing list