On Thu, Jul 7, 2011 at 9:12 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Wed, 6 Jul 2011, Richard Pickett wrote:<br>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
if you enable nat_traversal=yes on the server side, you generally want to fill in virtual_private=<br>
The example in the man page should work fine.<br>
<br>
My private net is <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a>, I'm only letting "Admins" get to it, so I'm setting it like this:<br>
<br>
virtual_private=%v:!<a href="http://10.0.1.0/24" target="_blank">10.0.1.0/<u></u>24</a><br>
</blockquote>
<br></div>
virtual_private is about what network the *clients* can be on behind NAT. It can be "Everything RFC1918<br>
except the RFC1918 space you are using on the server side".<br></blockquote><div><br>Now I'm a little confused. I ended up with that virtual_private line as a result of where you said:<br><br>> You should disallow <a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> in your virtual_private= line by adding: %v4:!<a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a><br>
<br>Now you're saying I shouldn't have it?<br><br>So you don't have to go digging through my post again:<br><br>Behind the server I have <a href="http://10.0.1.0/24">10.0.1.0/24</a> that only the admin connection should have access to, and I want all connections to forward all Internet traffic down the tunnel. So in the general config I have:<br>
<br>virtual_private=%v:!<a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a><br><br>and in the admin connection I have:<br><br>/etc/ipsec.d/admin.conf<br>
conn adminclient<br>
right=%any<br>
rightca=%same<br>
rightid="C=US, ST=Kentucky, O=<my O>, OU=Admin, CN=*"<br>rigtsubnet=vhost:%no,%priv<br>
leftcert=03.pem<br>leftsubnets={<a href="http://10.0.1.0/24,0.0.0.0/0">10.0.1.0/24,0.0.0.0/0</a>} #send everything and allow access to the left's private network<br><br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Note that you will also need a rigtsubnet=vhost:%no,%priv<br></blockquote><div><br>Thanks again Paul!<br></div></div><br>