[Openswan Users] "cannot install eroute" occurs for Mac OSX users behind same NAT (v2.6.33)
Paul Wouters
paul at xelerance.com
Tue May 17 16:41:30 EDT 2011
On Tue, 17 May 2011, Richard Schmidt wrote:
> I think when the OSX workaround was applied (in .33 I believe), it broke functionality for multiple Mac OSX users behind NAT.
Could you confirm that with a test? My guess would be the two events are not related,
but we use KLIPS and SAref to handle the multiple NAT cases as shown in
http://www.openswan.org/docs/ipsecsaref.png
> I've provided a transcript of the pluto log. Perhaps you can shed some light on how to fix this? I think SAref tracking was mentioned in an ancient email involving eroute, except I wouldn't know how to go about doing that for road-warriors on cellular data networks.
You would need to run an SAref patched kernel with a regular KLIPS module, and use
protostack=mast in config setup and overlapip=yes in the l2tp connection definition.
We do provide some binaries for ubuntu based kernel with SAref and for rhel6beta kernels
(rhel5 /centos5 kernels are based on 2.6.18 and not supported with the SAref patch, though
it should work fine for the elrepo.org 2.6.38 based rhel5/centos5 kernels)
I thought (but I could be wrong!) that NETKEY did handle the two clients behind the same
NAT correctly, but not the two client on same internal IP behind different NAT routers.
Paul
More information about the Users
mailing list