[Openswan Users] KLIPS and NAT-T on 2.6.23.16?
Paul Wouters
paul at xelerance.com
Mon Mar 31 14:46:32 EDT 2008
On Mon, 31 Mar 2008, Alex Weedy wrote:
> I am working with an embedded environment and I am down to the finishing
> touches. I need to know the status of KLIPS and NAT-T on 2.6.23.16. I need
> KLIPS because I am doing some unique routing where I need the ipsec0 device.
Two choices.
1) Use the "old style" NAT-T patch for KLIPS:
ftp://ftp.openswan.org/openswan/openswan-2.4.x.kernel-2.6.23-natt.patch
Disadvantage: Requires patching udp.c and thus recompile of kernel+modules
(works with openswan-2.5.x too)
2) Use the "new style" NAT-T support in 2.6.23+ (split off from XFRM code)
This requres enabling HAVE_UDP_ENCAP_CONVERT in ipsec_kversion.h to
activate the kernel component, but the userland component of marking
a UDP socket as ENCAP after negotiating NAT-T has not been completed yet.
Disadvantage: We haven't finished the userland code yet :)
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list