[Openswan Users] Status of NAT-T

David McCullough David_Mccullough at securecomputing.com
Tue Feb 17 19:14:34 EST 2009

Jivin Laszlo Attila Toth lays it down ...
> Hi,
> David McCullough wrote:
> >Jivin P.Freitag at kellergrundbau.at lays it down ...
> >>Hello Everybody!
> >>
> >>Beforehand I  want to apologize if this question has been aked before - 
> >>please point me to the relevant texts in that case, as I was not able to 
> >>find anything about it.
> >>
> >>The question is:
> >>
> >>Up to which kernel-version does the nat-t patch work? 
> >>(make nattpatch | (cd /usr/src/linux/ && patch -p1)) produces 5 failed 
> >>hunks in udp.c ( and openswan 2.6.20rc1)
> >>I would like to use KLIPS, but have to use a kernel higher then 
> >>due to some driver issues - and sadly wasn't able to find a natt-t patch 
> >>which works with it or any other higher kernel-version, so i have to 
> >>stick to netkey which I don't like.
> >>
> >>I've also read some hints about future development which will make the 
> >>natt patches obsolete? Is there some sort of roadmap available about it?
> >
> >I am running openswan with nat-t on linux-2.6.26 ok.  I think I have 
> >pushed the
> >updated nat-t patch stuff to paul.  It's may not be the ideal way to do
> >the nat-t support but it works ok as far as I have tested it.
> >
> I've tried to use `make nattpatch2.6' with kernel 2.6.24. I've also got 
> these rejects with openswan 2.6.20. This is because the command tries to 
> patch udp_encap_rcv in net/ipv4/udp.c, but the corresponding code have 
> been moved into net/ipv4/xfrm4_input.c named as xfrm4_udp_encap_rcv().
> >I am not sure how you should create the patch though. I thought you no
> >longer needed to do the 'make nattpatch' bit,  but I could be wrong.
> >
> AFAIK `make nattpatch'  and `make kernelpatch' is necessary if someone 
> want to compile the kernel as a whole, including NAT-T and KLIPS.

Ok,  I have never used that method due to the way we manage our kernel
sources, so I really don't know what should generate the patch properly.

> >Either way.  if there are no better ideas I can generate a linux-2.6.26
> >patch for use with openswan-2.6.20dr2 (and some earlier ones) without
> >too much problem.
> Where can I find that release? I searched the site but unfortunatelly I 


> found only openswan-2.6.20.tar.gz and a git repository which is a little 
> bit outdated: the testing branch of the openswan repository is the 
> following (and the other branches, stable, unstable, public.. are older)

I would go with 2.6.20 now anyway,  2.6.20dr2 was just a dev version
leading up to 2.6.20.

> commit efd88a6c7b03a15e047fb88775dd6010238c21d1
> Author: Paul Wouters <paul at xelerance.com>
> Date:   Wed Mar 26 16:11:29 2008 -0400
>     Add an X.509 certificate using SHA256 for testing pluto's sha256
>     capability.

Here is the post I made with the patch:


Don't do any of the "make nattpatch" like bits at all. Just take the
patch attached to the above email and apply that to your kernel.  I don't
expect this will go in without some fixups though,  so if you are not
comfortable with a few simple kernle patch fixups,  it may be best to
leave it.  This is for a linux-2.6.26 kernel.


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list