From: Emmanuel D. <ma...@us...> - 2005-10-10 08:41:47
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon/doc In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv17297/src/racoon/doc Modified Files: FAQ Log Message: Add the --enable-broken-natt for kernels implementing NAT-T but unable to cope with IKE ports in SAD and SPD. Index: FAQ =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/doc/FAQ,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- FAQ 3 Jan 2005 22:18:05 -0000 1.6 +++ FAQ 10 Oct 2005 08:41:44 -0000 1.7 @@ -39,6 +39,14 @@ http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you live in a country where software patents are legal, using NAT-Traversal might infringe a patent. + --enable-broken-natt: + When ipsec-tools is built with --enable-natt, racoon + sets IKE ports in SAD and SPD so that the kernel is + able to ditinguish peers hidden behind the same NAT. + Some kernel will not cope with that ports. Use that + option to force the ports to 0 in SAD ans SPD. Of + course this means that you cannot have multiple peers + behind the same NAT. --enable-frag: Enable IKE fragmentation, which is a workaround for broken routers that drop fragmented packets |