[Openswan Users] KLIPS and NAT-T on

Paul Wouters paul at xelerance.com
Mon Mar 31 14:46:32 EDT 2008

On Mon, 31 Mar 2008, Alex Weedy wrote:

> I am working with an embedded environment and I am down to the finishing
> touches. I need to know the status of KLIPS and NAT-T on I need
> KLIPS because I am doing some unique routing where I need the ipsec0 device.

Two choices.

1) Use the "old style" NAT-T patch for KLIPS:
   Disadvantage: Requires patching udp.c and thus recompile of kernel+modules
   (works with openswan-2.5.x too)

2) Use the "new style" NAT-T support in 2.6.23+ (split off from XFRM code)
   This requres enabling HAVE_UDP_ENCAP_CONVERT in ipsec_kversion.h to
   activate the kernel component, but the userland component of marking
   a UDP socket as ENCAP after negotiating NAT-T has not been completed yet.
   Disadvantage: We haven't finished the userland code yet :)

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list