Thanks Paul for your help!<div><br></div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
/etc/ipsec.conf:<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup<br>
protostack=netkey<br>
nat_traversal=yes<br>
virtual_private=<br>
</blockquote>
<br></div>
if you enable nat_traversal=yes on the server side, you generally want to fill in virtual_private=<br>
The example in the man page should work fine.<br></blockquote><div><br></div><div>My private net is <a href="http://10.0.1.0/24">10.0.1.0/24</a>, I'm only letting "Admins" get to it, so I'm setting it like this:</div>
<div><br></div><div>virtual_private=%v:!<a href="http://10.0.1.0/24">10.0.1.0/24</a></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
oe=off<br>
nhelpers=0<br>
</blockquote>
<br>
the nhelpes line should not be needed.</blockquote><div><br></div><div>commented out.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
include /etc/ipsec.d/*.conf<br>
<br>
<br>
/etc/ipsec.d/admin.conf<br>
conn adminclient<br>
right=%any<br>
rightca=%same<br>
rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"<br>
leftcert=03.pem<br>
leftsubnet=<a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a><br>
</blockquote>
<br></div>
You should disallow <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> in your virtual_private= line by adding: %v4:!<a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a></blockquote><div><br></div><div>
done, and I also have to have this on the admin.conf (right?):</div><div><br></div><div>leftsubnets={<a href="http://192.168.128.0/24,0.0.0.0/0">192.168.128.0/24,0.0.0.0/0</a>}</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
/etc/ipsec.d/user.conf<br>
conn userclient<br>
right=%any<br>
rightca=%same<br>
rightid="C=US, ST=Kentucky, O=<my O>, OU=User, CN=*"<br>
leftcert=03.pem<br>
</blockquote>
<br></div>
If I understood you correctly, you want to add leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> here?<br></blockquote><div><br></div><div>right, I now have that, and your comment here made me think to add the 0/0 to the admin.conf above (thanks!).</div>
<div><br></div><div>I think that's it, thanks for your help Paul!</div></div></div>