Nat-traversal ?

[acidbao]

Hi,

I'm trying to make a IPSec/L2TP VPN (because I didn't success in making a PPTP which works correctly).
There is a release of openswan for openwrt which I did not tryied because i use the one with debian (layered onto my oleg firmware). Although to make it work for clients behind a NAT, a kernel functionnality named "nat-traversal" is required and does not seem to be supported by the current kernel.

Is it possible to include it ?

The required patch for openwrt kernel is there:
ftp://ftp.openswan.org/openswan/bina...sec-natt.patch

But anyone interested in openswan can take a look at
ftp://ftp.openswan.org/openswan/bina...20040509/ipkg/

where there are the ipkg packages (i used only the ipsec.o module from there).

Thank you for your work

[Oleg]

Why don't you install openwrt?

[acidbao]

Why don't you install openwrt?

It would be the same problem, openwrt doesn't include the patch.

Would the patch be different for your kernel ?

[Oleg]

It would be the same problem, openwrt doesn't include the patch.

Would the patch be different for your kernel ?

That's strange. Have you tried whiterussian or just guessing?

[acidbao]

That's strange. Have you tried whiterussian or just guessing?

Hum ... i think i guessed that because i saw a patch, but maybe it's been included since then. Sorry about that.
Anyway, is there any chance to have this Nat-T support into kernel ?

I have some reluctance to use openwrt as oleg is based on ASUS's firmware (so i assume it's more adapted) and the last time i tried to flash openwrt to my ASUS WL-500gx, i broke it and i had to change it (maybe i was wrong, but i don't want to take the risk).

Edit: It's included according to
https://dev.openwrt.org/browser/trun...raversal.patch

[Oleg]

Well, yes it's possible. But you've to install bunch of other stuff to make ipsec work.

[acidbao]

Well, yes it's possible. But you've to install bunch of other stuff to make ipsec work.

I've already installed and configured openswan, l2tpd and ppp. But for the userland software i'm using debian (see using debian on an usb stick). So the bunch of other stuff is not a problem.
Moreover as i said, the ipsec.o module (the only thing i have to start before entering debian currently) loads with success under your firmware.

So my problem currently is :

Code:

Apr 27 15:34:04 pluto[1829]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Apr 27 15:34:04 ipsec_setup: ...Openswan IPsec started
Apr 27 15:34:05 pluto[1829]:   including NAT-Traversal patch (Version 0.6c)
Apr 27 15:34:05 pluto[1829]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 27 15:34:05 pluto[1829]: Using KLIPS IPsec interface code
Apr 27 15:34:05 pluto[1829]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 27 15:34:05 ipsec_setup: Starting Openswan IPsec U2.2.0/K2.1.2rc5...
Apr 27 15:34:05 pluto[1829]: Could not change to directory '/etc/ipsec.d/aacerts'
Apr 27 15:34:05 pluto[1829]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 27 15:34:05 pluto[1829]: Changing to directory '/etc/ipsec.d/crls'
Apr 27 15:34:05 pluto[1829]:   Warning: empty directory
Apr 27 15:34:14 pluto[1829]: added connection description "L2TP-PSK"
Apr 27 15:34:14 pluto[1829]: listening for IKE messages
Apr 27 15:34:14 pluto[1829]: NAT-Traversal: ESPINUDP(1) not supported by kernel -- NAT-T disabled
Apr 27 15:34:14 pluto[1829]: adding interface ipsec0/vlan1 81.56.77.86
Apr 27 15:34:14 pluto[1829]: NAT-Traversal: ESPINUDP(2) not supported by kernel -- NAT-T disabled
Apr 27 15:34:14 pluto[1829]: adding interface ipsec0/vlan1 81.56.77.86:4500
Apr 27 15:34:14 pluto[1829]: loading secrets from "/etc/ipsec.secrets"
Apr 27 15:34:14 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) not supported by kernel -- NAT-T disabled
Apr 27 15:34:14 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(2) not supported by kernel -- NAT-T disabled

[Oleg]

Check your PM.