[Openswan Users] centos 5.5 (2.6.18 and nat t)

aurfalien at gmail.com aurfalien at gmail.com
Wed Dec 1 17:09:37 EST 2010

Hi all,

Read some docs on this.

The issue is that Upon starting like this;

ipsec setup --start

/var/log/messages shows;

ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
ipsec__plutorun: 002 added connection description "vinz"
ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new  
style NAT-T family IPv4 (errno=19)
ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T

And just sits there.

While ipsec is still started, I do ipsec verify and get;

Version check and ipsec on-path								OK
Linux Openswan U2.6.26/K2.6.18-194.11.1.el5					OK
Checking for IPsec support in kernel							OK
SAref kernel support											N/A
NETKEY detected, testing for disabled ICMP send_redirects		FAILED

	Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
	or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects		FAILED

	Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
	or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running									OK
Pluto listening for IKE on udp 500								OK
Pluto listening for NAT-T on udp 4500							OK
two or more interfaces found, checking for IP forwarding			OK
Checking NAT and MASQUERADING							N/A
Checking for 'ip' command										OK
Checking for 'iptables' command								OK
Opportunistic Encryption Support								DISABLED

Any nuggets are GREATLY appreciated.

PS I do have ICMP send and accept redirects set as 0 in my sysctl.conf  
file for all interfaces and for both IPV4/6 so I'm unsure why ipsec  
verify says its not.

- aurf

More information about the Users mailing list