<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi there,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>For an external service we are required to setup an Ipsec VPN tunnel that hides our private IP address. This is because the service has got many customers connecting to it which creates the problem that multiple customers can use the same private ip range, this would cause routing problems. I have succesfully setup a test environment without NAT (all addresses and names are for testing purposes, the setup does exists in a isoloted environment):<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> Windows XP Test station WindowsXP-1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> 192.168.1.23/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> | <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> | <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> | <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> CentOS 5.5 x86_64 OPENSWAN001<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> Openswan VPN Site to Site tunnel <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> ETH0 Support / SSH<o:p></o:p></span></p><p class=MsoNormal style='margin-left:35.4pt;text-indent:35.4pt'><span lang=EN-US style='mso-fareast-language:NL'>ETH1 Public: 123.123.123.1/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> ETH2 Private: 192.168.1.12/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> CentOS 5.5 x86_64 OPENSWAN002<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> Openswan VPN Site to Site tunnel<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> ETH0 Public: 123.123.123.2/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> ETH1 Support / SSH<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> ETH2 Private: 192.168.0.24/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> |<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> Windows XP Test station WindowsXP-2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> 192.168.0.23/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>At this moment I have made the following configuration on both CentOS machines (/etc/ipsec.conf):<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>conn net-to-net<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> authby=secret<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> left=123.123.123.1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> leftsubnet=192.168.1.0/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> right=123.123.123.2<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> rightsubnet=192.168.0.0/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'> auto=start<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>Result is the tunnel is UP:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25706s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>000 #2: "net-to-net" esp.3eda20b2@123.123.123.1 esp.a0fe3092@123.123.123.2 tun.0@123.123.123.1 tun.0@123.123.123.2 ref=0 refhim=4294901761<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 265s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>And ping packets are encapsulated:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:51:50.082439 IP 123.123.123.2 > 123.123.123.1: ESP(spi=0x3eda20b2,seq=0x953), length 100<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:51:50.083725 IP 123.123.123.1 > 123.123.123.2: ESP(spi=0xa0fe3092,seq=0x953), length 100<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:51:51.082409 IP 123.123.123.2 > 123.123.123.1: ESP(spi=0x3eda20b2,seq=0x954), length 100<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:51:51.083383 IP 123.123.123.1 > 123.123.123.2: ESP(spi=0xa0fe3092,seq=0x954), length 100<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>The problem on OPENSWAN002:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>Tcpdump –I eth2 host 192.168.1.23<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:52:59.083232 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 35573, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:00.082712 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 35829, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:00.083285 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 35829, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:01.082772 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36085, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:01.083299 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36085, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:02.082830 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36341, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:02.083524 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36341, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:03.082721 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36597, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>08:53:03.083306 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36597, length 40<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>In this case the 192.168.0.23 should be natted to 123.123.123.2.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>At this moment this is correct because there is no configuration to support NAT. I have found the following website:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><a href="http://wiki.openswan.org/index.php/Openswan/NatTraversal">http://wiki.openswan.org/index.php/Openswan/NatTraversal</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>But this config does not work for me. The tunnel does not get’s the chance to setup phase1.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>Can anyone supply me with an example for this kind of configuration?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'>Mario Verhaeg<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:NL'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>