[Openswan Users] NAT-T Test results and problems

Paul Wouters paul at xelerance.com
Wed Jun 17 10:00:06 EDT 2009


On Wed, 17 Jun 2009, Mehran Toreihi wrote:

> Dear Paul and other friends,
> We have tested two different versions of Openswan with Kernels as follow:
> 
> Openswan-2.4.8   on Redhat 9.0  (Kernel-2.4.20)
> Openswan-2.6.21 on CentOS-5.2 (Kernel-2.6.18)
> 
> In all of the above combinations we have used KLIPS (kernel built-in) and have applied NAT-T patch and no firewall at all.
> 
> We wanted to test NAT-T in a site-to-site scenario in a lab as follow:

> The configuration, topology and the test results are attached as a pdf file.
> The tunnel does no establish when the left and right routers do PAT (port address translation).

You should show the output and/or logs of ipsec auto -- up connname for me to be able to tell
you anything.

> When we use SNAT in both routers openswan-2.4.8-kernel-2.4.20 fails, but openswan-2.6.21-kernel-2.6.18 is OK (tunnel established
> and ping is OK).

First focus on the IKE protocol, and get the "IPsec SA established" messages. This is pure userland
and does not involve any kernel bits. Once you get those working properly, you can look at actual
packet flow and see if there are any kernel issues.

Paul


More information about the Users mailing list