[Openswan Users] Trying to use linux as VPN client

Sebastiaan van Erk sebster at sebster.com
Fri Nov 21 03:59:12 EST 2008


Hi,

Paul Wouters wrote:
>> The log file does say the following:
>>
>> Nov 20 23:02:38 blauwoor pluto[998]: Setting NAT-Traversal port-4500 
>> floating to on
>> Nov 20 23:02:38 blauwoor pluto[998]:    port floating activation 
>> criteria nat_t=1/port_float=1
>> Nov 20 23:02:38 blauwoor pluto[998]:   KLIPS does not have 
>> NAT-Traversal built in (see /proc/net/ipsec/natt)
>> Nov 20 23:02:38 blauwoor pluto[998]:    including NAT-Traversal patch 
>> (Version 0.6c)
>>
>> Does this mean that NAT-T is enabled after all, and I do not need to 
>> recompile my kernel?
> 
> Looks like you're missing NAT-T. If you have your kernel .config file
> anywhere, grep it for CONFIG_IPSEC_NAT_TRAVERSAL.
> 
> Paul

Ok, I have the config file in /boot. When I grep IPSEC on it, it returns 
nothing. I downloaded the source for the kernel and I'm trying to apply 
the patch, but it fails (on 2.6.22 and on 2.6.27). This is the output 
for 2.6.22:

root at blauwoor(:0j:506:1):/home/sebster/Temp/openswan/openswan-2.6.18$ 
make nattpatch | (cd /usr/src/linux && patch -p1)
The next patch would create the file include/net/xfrmudp.h,
which already exists!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file include/net/xfrmudp.h.rej
patching file net/ipv4/Kconfig
Hunk #1 succeeded at 351 with fuzz 1.
patching file net/ipv4/udp.c
Hunk #1 FAILED at 108.
Hunk #2 FAILED at 882.
Hunk #3 FAILED at 914.
Hunk #4 FAILED at 1044.
Hunk #5 FAILED at 1153.
Hunk #6 FAILED at 1641.
6 out of 6 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej

Also I'm wondering: under windows, even if I disable NAT-T, the phase2 
succeeds and the tunnel is established (although it doesn't work). I 
have phase2 failing, so would that not signify that there is something 
else still wrong as well?

Regards,
Sebastiaan

P.S.: Here is the ipsec auto --status output, just in case it might show 
something obvious I've missed...

root at blauwoor(:0j:657:2):~$ ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/eth1 10.1.0.6
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, 
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, 
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, 
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
trans={0,3,72} attrs={0,3,96}
000
000 "relate": 
10.1.0.6[sebster at sebster.com,+S=C]...111.111.111.111<111.111.111.111>[+S=C]===10.31.5.0/24; 
unrouted; eroute owner: #0
000 "relate":     myip=unset; hisip=unset;
000 "relate":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "relate":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; 
interface: eth1;
000 "relate":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "relate":   IKE algorithms wanted: 
AES_CBC(7)_192-SHA1(2)-MODP1024(2); flags=-strict
000 "relate":   IKE algorithms found:  AES_CBC(7)_192-SHA1(2)_160-2,
000 "relate":   IKE algorithm newest: AES_CBC_192-SHA1-MODP1024
000 "relate":   ESP algorithms wanted: AES(12)_192-SHA1(2); flags=-strict
000 "relate":   ESP algorithms loaded: AES(12)_192-SHA1(2)_160
000
000 #3: "relate":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 14s; lastdpd=-1s(seq in:0 out:0); idle; import:admin 
initiate
000 #1: "relate":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); 
EVENT_SA_REPLACE in 2832s; newest ISAKMP; lastdpd=26s(seq in:0 out:0); 
idle; import:admin initiate
000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3315 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20081121/f8998e79/attachment.bin 


More information about the Users mailing list