[Openswan Users] KLIPS and NAT-T on 2.6.23.16?

Paul Wouters paul at xelerance.com
Mon Mar 31 14:46:32 EDT 2008


On Mon, 31 Mar 2008, Alex Weedy wrote:

> I am working with an embedded environment and I am down to the finishing
> touches. I need to know the status of KLIPS and NAT-T on 2.6.23.16. I need
> KLIPS because I am doing some unique routing where I need the ipsec0 device.

Two choices.

1) Use the "old style" NAT-T patch for KLIPS:
   ftp://ftp.openswan.org/openswan/openswan-2.4.x.kernel-2.6.23-natt.patch
   Disadvantage: Requires patching udp.c and thus recompile of kernel+modules
   (works with openswan-2.5.x too)

2) Use the "new style" NAT-T support in 2.6.23+ (split off from XFRM code)
   This requres enabling HAVE_UDP_ENCAP_CONVERT in ipsec_kversion.h to
   activate the kernel component, but the userland component of marking
   a UDP socket as ENCAP after negotiating NAT-T has not been completed yet.
   Disadvantage: We haven't finished the userland code yet :)

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list