[Openswan Users] openswan 2.6.18 klips with 2.6.24 - is nat-t patch necessary?

Jorge Santos jorge.santos at idw.pt
Tue Nov 18 09:17:01 EST 2008


I'm sorry, I meant to say iptables -P INPUT ACCEPT,, iptables -P FORWARD
ACCEPT, iptables -P OUTPUT ACCEPT (it was the wrong copy/paste).
At first I suspected iptables rules, so I openned everything and
configured default policy to ACCEPT.
I didn't patch the kernel with nat-t because I think I read somewhere
that it was no longer necessary.

So, to summarize,
kernel 2.6.24.7-rt21.1.fc9.ccrma with openswan 2.6.18 netkey works ok
(no nat-t patch).
kernel 2.6.24.7-rt21.1.fc9.ccrma with openswan 2.6.18 klips patch doesnt
work (no nat-t patch).

Furthermore if I sniff on ext if when I ping from rw to inside enc 
domain, I can see IKE from rw to dest but not from dest to rw

if I sniff on ipsec0 when I ping from rw to inside enc domain, I can see 
ICMP from rw to dest and from dest to rw.

Any thoughts?
TIA
JS


Peter McGill wrote:
> Jorge,
>
> Those iptables setting will block any incoming traffic, this includes 
> the IPSec traffic.
> You need to add rules to ACCEPT INPUT and FORWARD on ipsec0, and
> ACCEPT protocol 50 and udp port 500 on the public interface.
>
> Peter
>
> Jorge Santos wrote:
>> Hi
>>
>> I just patched kernel 2.6.24.7-rt21.1.fc9.ccrma from planet ccrma 
>> srpm with klips 2.6.18. When using netkey, I am able to pass traffic 
>> to the to my enc domain, but when I use  klips, with no iptables 
>> rules and iptables -P INPUT DROP, iptables -P FORWARD DROP, iptables 
>> -P OUTPUT ACCEPT, I ping from the rw to the enc domain, but no reply 
>> comes back. Any suggestions
>>
>> TIA
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>




More information about the Users mailing list