<![CDATA[Latest posts for the topic "[Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate?"]]> /hvaonline/posts/list/24.html JForum - http://www.jforum.net [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? Linux box <----> ADSL Modem <---> Internet <---> Fortigate Firewall  Mình cài Openswan với apt-get nên IPsec Stack mặc định là NETKEY: Code:
$ ipsec version
Linux Openswan U2.4.12/K2.6.27-7-generic (netkey)
See `ipsec --copyright' for copyright information.
File cấu hình ipsec.conf mình thêm vào một dòng:
include /etc/ipsec.d/*.conf 
File cấu hình định nghĩa kết nối đến Fortigate /etc/ipsec.d/forti.conf: Code:
conn forti
        leftxauthclient=yes
        rightxauthserver=yes
        left=%defaultroute
        leftsourceip=192.168.1.7
        leftnexthop=192.168.1.1
        leftsubnet=192.168.1.0/24
        right=x.x.x.x
        ike=3des-sha1
        ikelifetime=28800s
        esp=3des-md5
        keylife=3600s
        keyexchange=ike
        authby=secret
        compress=yes
        auto=add
Mình sử dụng preshared keys để xác thực. File /etc/ipsec.secrets mình thêm vào dòng sau:
include /etc/ipsec.d/forti.secrets 
File lưu preshared keys /etc/ipsec.d/forti.secrets: Code:
192.168.1.7 x.x.x.x : PSK "<preshared_keys>"
Kiểm tra lại trước khi start VPN: Code:
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.12/K2.6.27-7-generic (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_wwwects       [OK]
NETKEY detected, testing for disabled ICMP accept_wwwects     [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets)     [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
Mình start thử VPN:
$ sudo ipsec auto --up forti [sudo] password for quanta: Name enter: quan.ta Enter secret: 104 "forti" #3: STATE_MAIN_I1: initiate 003 "forti" #3: received Vendor ID payload [RFC 3947] method set to=109 003 "forti" #3: received Vendor ID payload [Dead Peer Detection] 003 "forti" #3: received Vendor ID payload [XAUTH] 106 "forti" #3: STATE_MAIN_I2: sent MI2, expecting MR2 003 "forti" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed 108 "forti" #3: STATE_MAIN_I3: sent MI3, expecting MR3 004 "forti" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536} 041 "forti" #3: forti prompt for Username: 040 "forti" #3: forti prompt for Password: 004 "forti" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 004 "forti" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set 117 "forti" #4: STATE_QUICK_I1: initiate 003 "forti" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 004 "forti" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa81e9489 <0x958a0e67 xfrm=3DES_0-HMAC_MD5 NATD=xxxx:4500 DPD=none}  
Log file /var/log/auth.log hiển thị thế này:
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: initiating Main Mode Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [RFC 3947] method set to=109 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [Dead Peer Detection] Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [XAUTH] Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I2: sent MI2, expecting MR2 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: I did not send a certificate because I do not have one. Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I3: sent MI3, expecting MR3 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxxx' Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536} Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: XAUTH username requested, but no file descriptor available for prompt Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: sending encrypted notification CERTIFICATE_UNAVAILABLE to xxxx:4500 Mar 16 16:23:04 quanta-laptop pluto[7629]: "forti" #2: IPsec SA expired (LATEST!)  
Kiểm tra tình trạng kết nối:
$ sudo ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 192.168.1.7 000 interface eth0/eth0 192.168.1.7 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,648} attrs={0,4,432} 000 000 "forti": 192.168.1.0/24===192.168.1.7[XC+S=C]---192.168.1.1...xxxx[XS+S=C]; erouted; eroute owner: #4 000 "forti": srcip=192.168.1.7; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "forti": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "forti": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,32; interface: eth0; encap: esp; 000 "forti": newest ISAKMP SA: #3; newest IPsec SA: #4; 000 "forti": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict 000 "forti": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2) 000 "forti": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536 000 "forti": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict 000 "forti": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict 000 "forti": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1> 000 000 #4: "forti":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1740s; newest IPSEC; eroute owner 000 #4: "forti" esp.a81e9489@xxxx esp.958a0e67@192.168.1.7 tun.0@xxxx tun.0@192.168.1.7 000 #3: "forti":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 2297s; newest ISAKMP; lastdpd=1s(seq in:0 out:0) 000  
Thử traceroute nhưng không có kết quả: Code:
$ traceroute xxxx
traceroute to xxxx, 30 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
Sniff vài packet trên eth0 thì được:
$ sudo tcpdump -vv -n -i eth0 host xxxx tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:44:49.559172 IP (tos 0x0, ttl 54, id 34931, offset 0, flags [none], proto UDP (17), length 124) xxxx.4500 > 192.168.1.7.4500: NONESP-encap: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 16:44:49.560333 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 192.168.1.7.4500 > xxxx.4500: NONESP-encap: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash]  
Tóm lại là mình chưa VPN được. Bạn nào giúp mình với. Cần thông tin gì thêm mình sẽ cung cấp. Cảm ơn mọi người.]]>
/hvaonline/posts/list/28220.html#173440 /hvaonline/posts/list/28220.html#173440 GMT
Re: [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? /hvaonline/posts/list/28220.html#173455 /hvaonline/posts/list/28220.html#173455 GMT Re: [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? openswan-2.6.20.tar.gz và linux-source-2.6.27.tar.bz2 (có sẵn trong /usr/src của Ubuntu). Giải nén và tạo soft link: cd /usr/src tar zxvf openswan-2.6.20.tar.gz tar jxvf linux-source-2.6.27.tar.bz2 ln -s linux-source-2.6.27 linux Gán biến môi trường KERNELSRC: export KERNELSRC=/usr/src/linux Tạo patch file với: cd openswan-2.6.20 make nattpatch > ../nat-t.patch Nội dung file này: Code:
cat nat-t.patch 
if [ -f /usr/src/linux/Makefile ]; then \
		make nattpatch2.6; \
	else	echo "Cannot determine Linux kernel version. Perhaps you need to set KERNELSRC? (eg: export KERNELSRC=/usr/src/linux-`uname -r`/)"; exit 1; \
	fi;
make[1]: Entering directory `/usr/src/openswan-2.6.20'
packaging/utils/nattpatch 2.6
--- /dev/null   Tue Mar 11 13:02:56 2003
+++ nat-t/include/net/xfrmudp.h     Mon Feb  9 13:51:03 2004
@@ -0,0 +1,11 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func
+				      , xfrm4_rcv_encap_t oldfunc);
--- /distros/kernel/linux-2.6.11.2/net/ipv4/Kconfig	2005-03-09 03:12:33.000000000 -0500
+++ swan26/net/ipv4/Kconfig	2005-04-04 18:46:13.000000000 -0400
@@ -351,2 +351,8 @@
 
+config IPSEC_NAT_TRAVERSAL
+	bool "IPSEC NAT-Traversal (KLIPS compatible)"
+	depends on INET
+	---help---
+          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
 config IP_TCPDIAG
--- plain26/net/ipv4/udp.c.orig	2006-12-28 20:53:17.000000000 -0500
+++ plain26/net/ipv4/udp.c	2007-05-11 10:22:50.000000000 -0400
@@ -108,6 +108,7 @@
 #include <net/inet_common.h>
 #include <net/checksum.h>
 #include <net/xfrm.h>
+#include <net/xfrmudp.h>
 
 /*
  *	Snmp MIB for the UDP layer
@@ -881,6 +882,31 @@
 	sk_common_release(sk);
 }
 
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+			       , xfrm4_rcv_encap_t *oldfunc)
+{
+  if(oldfunc != NULL) {
+    *oldfunc = xfrm4_rcv_encap_func;
+  }
+
+  xfrm4_rcv_encap_func = func;
+  return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func, xfrm4_rcv_encap_t old)
+{
+  if(xfrm4_rcv_encap_func != func)
+    return -1;
+
+  xfrm4_rcv_encap_func = old;
+  return 0;
+}
+#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+
+
 /* return:
  * 	1  if the the UDP system should process it
  *	0  if we should drop this packet
@@ -888,9 +914,9 @@
  */
 static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
 {
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
 	return 1; 
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
 	struct udp_sock *up = udp_sk(sk);
   	struct udphdr *uh;
 	struct iphdr *iph;
@@ -1018,10 +1044,27 @@
 			return 0;
 		}
 		if (ret < 0) {
-			/* process the ESP packet */
-			ret = xfrm4_rcv_encap(skb, up->encap_type);
-			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
-			return -ret;
+ 			if(xfrm4_rcv_encap_func != NULL)
+				ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+	
+			switch(ret) {
+			case 1:
+				/* FALLTHROUGH to send-up */;
+				break;
+				
+			case 0:
+                                /* PROCESSED, free it */
+				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+				return 0;
+				
+			case -1:
+				/* PACKET wasn't for _func, or no func, pass it
+				 * to stock function
+				 */
+				ret = xfrm4_rcv_encap(skb, up->encap_type);
+				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+				return -ret;
+			}
 		}
 		/* FALLTHROUGH -- it's a UDP Packet */
 	}
@@ -1110,7 +1153,6 @@
 /*
  *	All we need to do is get the socket, and then do a checksum. 
  */
- 
 int udp_rcv(struct sk_buff *skb)
 {
   	struct sock *sk;
@@ -1599,3 +1641,9 @@
 EXPORT_SYMBOL(udp_proc_register);
 EXPORT_SYMBOL(udp_proc_unregister);
 #endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+
make[1]: Leaving directory `/usr/src/openswan-2.6.20'
Apply patch: Code:
cd ../linux
cat ../nat-t.patch | patch -p1
patching file include/net/xfrmudp.h
patching file net/ipv4/Kconfig
Hunk #1 succeeded at 351 with fuzz 1.
patching file net/ipv4/udp.c
Hunk #1 FAILED at 108.
Hunk #2 FAILED at 882.
Hunk #3 FAILED at 914.
Hunk #4 FAILED at 1044.
Hunk #5 FAILED at 1153.
Hunk #6 succeeded at 1789 (offset 148 lines).
5 out of 6 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej
File udp.c.rej của mình thế này: Code:
***************
*** 108,113 ****
  #include <net/inet_common.h>
  #include <net/checksum.h>
  #include <net/xfrm.h>
  
  /*
   *	Snmp MIB for the UDP layer
--- 108,114 ----
  #include <net/inet_common.h>
  #include <net/checksum.h>
  #include <net/xfrm.h>
+ #include <net/xfrmudp.h>
  
  /*
   *	Snmp MIB for the UDP layer
***************
*** 881,886 ****
  	sk_common_release(sk);
  }
  
  /* return:
   * 	1  if the the UDP system should process it
   *	0  if we should drop this packet
--- 882,912 ----
  	sk_common_release(sk);
  }
  
+ #if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+ 
+ static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+ int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ 			       , xfrm4_rcv_encap_t *oldfunc)
+ {
+   if(oldfunc != NULL) {
+     *oldfunc = xfrm4_rcv_encap_func;
+   }
+ 
+   xfrm4_rcv_encap_func = func;
+   return 0;
+ }
+ 
+ int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func, xfrm4_rcv_encap_t old)
+ {
+   if(xfrm4_rcv_encap_func != func)
+     return -1;
+ 
+   xfrm4_rcv_encap_func = old;
+   return 0;
+ }
+ #endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+ 
+ 
  /* return:
   * 	1  if the the UDP system should process it
   *	0  if we should drop this packet
***************
*** 888,896 ****
   */
  static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
  {
- #ifndef CONFIG_XFRM
  	return 1; 
- #else
  	struct udp_sock *up = udp_sk(sk);
    	struct udphdr *uh;
  	struct iphdr *iph;
--- 914,922 ----
   */
  static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
  {
+ #if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
  	return 1; 
+ #else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
  	struct udp_sock *up = udp_sk(sk);
    	struct udphdr *uh;
  	struct iphdr *iph;
***************
*** 1018,1027 ****
  			return 0;
  		}
  		if (ret < 0) {
- 			/* process the ESP packet */
- 			ret = xfrm4_rcv_encap(skb, up->encap_type);
- 			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
- 			return -ret;
  		}
  		/* FALLTHROUGH -- it's a UDP Packet */
  	}
--- 1044,1070 ----
  			return 0;
  		}
  		if (ret < 0) {
+  			if(xfrm4_rcv_encap_func != NULL)
+ 				ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+ 	
+ 			switch(ret) {
+ 			case 1:
+ 				/* FALLTHROUGH to send-up */;
+ 				break;
+ 				
+ 			case 0:
+                                 /* PROCESSED, free it */
+ 				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ 				return 0;
+ 				
+ 			case -1:
+ 				/* PACKET wasn't for _func, or no func, pass it
+ 				 * to stock function
+ 				 */
+ 				ret = xfrm4_rcv_encap(skb, up->encap_type);
+ 				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ 				return -ret;
+ 			}
  		}
  		/* FALLTHROUGH -- it's a UDP Packet */
  	}
***************
*** 1110,1116 ****
  /*
   *	All we need to do is get the socket, and then do a checksum. 
   */
-  
  int udp_rcv(struct sk_buff *skb)
  {
    	struct sock *sk;
--- 1153,1158 ----
  /*
   *	All we need to do is get the socket, and then do a checksum. 
   */
  int udp_rcv(struct sk_buff *skb)
  {
    	struct sock *sk;
http://lists.virus.org/users-openswan-0806/msg00104.html cũng có người gặp lỗi giống mình. Bạn Paul bạn ấy bảo thử "apply bằng tay" xem. Nhưng thú thật là mình học dốt C nên không biết làm thế nào cả. Ai chỉ cho mình với. Kiểu gì thì kiểu cũng phải patch được NAT-T thì mới đi tiếp được. P/S: Mình đã thử với kernel mới nhất 2.6.28.8, cũng vẫn bị lỗi như trên.]]>
/hvaonline/posts/list/28220.html#173668 /hvaonline/posts/list/28220.html#173668 GMT