[Openswan Users] Trying to use linux as VPN client

Sebastiaan van Erk sebster at sebster.com
Thu Nov 20 17:13:40 EST 2008 

Paul Wouters wrote:

> On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
> 
>> I configured GTA mobile client to have NAT-T disabled; tunnel setup works
>> fine, but connections don't work afterwards. With NAT-T on "force" it does
>> work, so NAT-T seems to be required. This leads me to guess that it's not
>> causing problems right now (since tunnel setup worked without NAT-T), but it
>> will be a problem once I get a step futher....
> 
> Can you explain "NAT-T on force"? Did you mean forceencaps= ? Or something
> on the client?

Yes, it's an option in the GTA mobile client on Windows XP. I'm guessing 
it means the same as "yes". The options are "auto", "forced", and 
"disabled". Basically the tunnel doesn't work properly (even though it 
gets established) when I disable NAT-T using the GTA mobile client. 
Which is logical I guess, since I'm behind NAT.

The log file does say the following:

Nov 20 23:02:38 blauwoor pluto[998]: Setting NAT-Traversal port-4500 
floating to on
Nov 20 23:02:38 blauwoor pluto[998]:    port floating activation 
criteria nat_t=1/port_float=1
Nov 20 23:02:38 blauwoor pluto[998]:   KLIPS does not have NAT-Traversal 
built in (see /proc/net/ipsec/natt)
Nov 20 23:02:38 blauwoor pluto[998]:    including NAT-Traversal patch 
(Version 0.6c)

Does this mean that NAT-T is enabled after all, and I do not need to 
recompile my kernel?

>>>     phase2alg=aes192-sha1-modp1024
>>>
>>> [The format for ESP is ENC-AUTH followed by an optional PFSgroup. For
>>> instance, "3des-md5" or "aes256-sha1-modp2048". --- the man page]
> 
> You can try es256-sha1;modp2048
> It depends on on the version of openswan (and I think with some versions,
> the man page didn't get re-generated)

 From the GTA mobile client config I deduced that I need modp1024, and 
from the log it seems that that's what I'm using, so I guess I should be OK.

Nov 20 22:39:49 blauwoor pluto[32500]: "relate" #2: initiating Quick 
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 
msgid:8496cd7b proposal=AES(12)_192-SHA1(2)_160 
pfsgroup=OAKLEY_GROUP_MODP1024}

Regards,
Sebastiaan

> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3315 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20081120/c1450f12/attachment.bin

More information about the Users mailing list