[Openswan Users] Status of NAT-T

Laszlo Attila Toth panther at balabit.hu
Tue Feb 17 09:06:51 EST 2009


David McCullough wrote:
> Jivin P.Freitag at kellergrundbau.at lays it down ...
>> Hello Everybody!
>> Beforehand I  want to apologize if this question has been aked before - 
>> please point me to the relevant texts in that case, as I was not able to 
>> find anything about it.
>> The question is:
>> Up to which kernel-version does the nat-t patch work? 
>> (make nattpatch | (cd /usr/src/linux/ && patch -p1)) produces 5 failed 
>> hunks in udp.c ( and openswan 2.6.20rc1)
>> I would like to use KLIPS, but have to use a kernel higher then 
>> due to some driver issues - and sadly wasn't able to find a natt-t patch 
>> which works with it or any other higher kernel-version, so i have to stick 
>> to netkey which I don't like.
>> I've also read some hints about future development which will make the 
>> natt patches obsolete? Is there some sort of roadmap available about it?
> I am running openswan with nat-t on linux-2.6.26 ok.  I think I have pushed the
> updated nat-t patch stuff to paul.  It's may not be the ideal way to do
> the nat-t support but it works ok as far as I have tested it.

I've tried to use `make nattpatch2.6' with kernel 2.6.24. I've also got 
these rejects with openswan 2.6.20. This is because the command tries to 
patch udp_encap_rcv in net/ipv4/udp.c, but the corresponding code have 
been moved into net/ipv4/xfrm4_input.c named as xfrm4_udp_encap_rcv().

> I am not sure how you should create the patch though. I thought you no
> longer needed to do the 'make nattpatch' bit,  but I could be wrong.

AFAIK `make nattpatch'  and `make kernelpatch' is necessary if someone 
want to compile the kernel as a whole, including NAT-T and KLIPS.

> Either way.  if there are no better ideas I can generate a linux-2.6.26
> patch for use with openswan-2.6.20dr2 (and some earlier ones) without
> too much problem.

Where can I find that release? I searched the site but unfortunatelly I 
found only openswan-2.6.20.tar.gz and a git repository which is a little 
bit outdated: the testing branch of the openswan repository is the 
following (and the other branches, stable, unstable, public.. are older)

commit efd88a6c7b03a15e047fb88775dd6010238c21d1
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Mar 26 16:11:29 2008 -0400

     Add an X.509 certificate using SHA256 for testing pluto's sha256

Laszlo Attila Toth

More information about the Users mailing list