[Openswan Users] openswan 2.6.18 klips with 2.6.24 - is nat-t patch necessary?
Jorge Santos
jorge.santos at idw.pt
Tue Nov 18 09:17:01 EST 2008
I'm sorry, I meant to say iptables -P INPUT ACCEPT,, iptables -P FORWARD
ACCEPT, iptables -P OUTPUT ACCEPT (it was the wrong copy/paste).
At first I suspected iptables rules, so I openned everything and
configured default policy to ACCEPT.
I didn't patch the kernel with nat-t because I think I read somewhere
that it was no longer necessary.
So, to summarize,
kernel 2.6.24.7-rt21.1.fc9.ccrma with openswan 2.6.18 netkey works ok
(no nat-t patch).
kernel 2.6.24.7-rt21.1.fc9.ccrma with openswan 2.6.18 klips patch doesnt
work (no nat-t patch).
Furthermore if I sniff on ext if when I ping from rw to inside enc
domain, I can see IKE from rw to dest but not from dest to rw
if I sniff on ipsec0 when I ping from rw to inside enc domain, I can see
ICMP from rw to dest and from dest to rw.
Any thoughts?
TIA
JS
Peter McGill wrote:
> Jorge,
>
> Those iptables setting will block any incoming traffic, this includes
> the IPSec traffic.
> You need to add rules to ACCEPT INPUT and FORWARD on ipsec0, and
> ACCEPT protocol 50 and udp port 500 on the public interface.
>
> Peter
>
> Jorge Santos wrote:
>> Hi
>>
>> I just patched kernel 2.6.24.7-rt21.1.fc9.ccrma from planet ccrma
>> srpm with klips 2.6.18. When using netkey, I am able to pass traffic
>> to the to my enc domain, but when I use klips, with no iptables
>> rules and iptables -P INPUT DROP, iptables -P FORWARD DROP, iptables
>> -P OUTPUT ACCEPT, I ping from the rw to the enc domain, but no reply
>> comes back. Any suggestions
>>
>> TIA
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
More information about the Users
mailing list