[Openswan Users] Forcing UDP Encapsulation in Tunnel Mode

[Paul Wouters]

On Tue, 17 Feb 2009, Shasi Thati wrote:

> I am using OpenSwan to test my crypto driver that provides IPSec offload.

Can you tell us more about this? Does it accelerate via OCF? Other means?
And for KLIPS or NETKEY?

> I have a very basic tunnel set up as shown
> below. I am primarily trying to test UDP Encapsulation through this tunnel although I do not have a NAT device on
> either side of the tunnel. The problem I am having is that with the following ipsec.conf ( with nat_traversal=yes and
> forceencaps = yes), I only see ESP Packets but not UDP Encapsulated packets. 

> version 2.0
> #config setup
> config setup
>   interfaces=%defaultroute
>   protostack=netkey
>   klipsdebug=none
>   plutodebug=all
>   nat_traversal=yes

The responder side also needs a virtual_private= line

> #Simple Host to Host Connection
> conn tunnel-to-tunnel
>   type=tunnel
>   forceencaps=yes
>   left=192.168.1.100  
>   leftsubnet=10.66.21.0/24
>   leftrsasigkey=<right key>
>   right=192.168.2.100  
>   rightsubnet=10.66.12.0/24
>   rightrsasigkey=<left key>
>   keyingtries=1  
>   auto=add

> Linux Openswan U2.5.17/K2.6.27 (netkey)

Any particular reason why you are on 2.5.17? You should migrate to 2.6.x.

> pluto[1944]: Starting Pluto (Openswan Version 2.5.17; Vendor ID OEztC{yJaHh[) pid:1944
> pluto[1944]: Setting NAT-Traversal port-4500 floating to off
> pluto[1944]: port floating activation criteria nat_t=0/port_float=1
> pluto[1944]: including NAT-Traversal patch (Version 0.6c) [disabled]

It is disabled because of the missing virtual_private line.

Paul