[Openswan dev] Re: routing problem with NAT?

pi list at wehowski.com
Tue Mar 16 10:10:45 CET 2004 

>
>I'm assuming you are trying to use the NAT Traversal patches? If not, let 
>me know.
>  
>
Correct, I use this patch.
kernel 2.4.25

Linux FreeS/WAN 2.05
See `ipsec --copyright' for copyright information.
X.509-1.5.3 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
Mar 15 23:21:34 moulinsart pluto[22523]: Starting Pluto (FreeS/WAN 
Version 2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
Mar 15 23:21:34 moulinsart pluto[22523]:   including NAT-Traversal patch 
(Version 0.6b)


>I see that you have a subnet you're trying to create a route to on each
>end; is that correct? Or are you doing the typical "road warrior"  
>configuration? (FreeS/WAN server with a public IP and a network behind it,
>being accessed by a "road warrior", either on a public IP or behind a NAT
>gateway, with no network behind it). If you want a subnet on each and, and
>one end is behind a nat gateway, I don't believe it'll work -- it uses the
>"subnet" entry to create the route to the NAT'd IP you're coming from, at
>least from what I've been able to tell.
>  
>
Ok, so what is the objective of NAT-T patch ?

Enclosed, you'll find the configuration including both ipsec.config
Can someone explain to me what addresses to put in ipsec.config for 
moulinsart (behind NAT)

Regards

Phil


-------------- next part --------------
PRIVNET1   (192.168.15.0/24)
  |
  |
  |        (192.168.15.1/24)
patty   [--> Freeswan]
 II        (AA.AA.AA.AA) 
 II
 II  [INTERNET]
 II
 II
 II        (BB.BB.BB.BB) 
LINUX-NAT-BOX   
  |        (192.168.14.1/29)
  |
  |        (192.168.14.5/29)
moulinsart  [--> Freeswan]
  |        (192.168.1.2/24)
  |
  |
PRIVNET2   (192.168.1.0/24)


===============================================================================
 ipsec.conf
===============================================================================
moulinsart      		                patty
===============================================================================
version	2.0					version	2.0

config setup					config setup
	forwardcontrol=yes				forwardcontrol=yes
	interfaces="ipsec0=eth0"			interfaces="ipsec0=eth0"
	klipsdebug=none					klipsdebug=none
	plutodebug=none					plutodebug=none
	nat_traversal=yes				nat_traversal=yes
	overridemtu=1492				overridemtu=1492

conn patty					conn moulinsart
	auto=start					auto=start
	keyingtries=1					keyingtries=1
	left=192.168.14.5				left=<AA.AA.AA.AA>
	leftid=@moulinsart				leftid=@patty
	leftrsasigkey=[keyid AQPIAhuta]			leftrsasigkey=[keyid AQOUQ0awm]
	leftsubnet=192.168.1.0/24			leftsubnet=192.168.15.0/24
	right=<AA.AA.AA.AA>				right=<BB.BB.BB.BB>
	rightid=@patty					rightid=@moulinsart
	rightrsasigkey=[keyid AQOUQ0awm]		rightrsasigkey=[keyid AQPIAhuta]
	rightsubnet=192.168.15.0/24			rightsubnet=192.168.1.0/24
	type=tunnel					type=tunnel

conn block					conn block
        auto=ignore				        auto=ignore

conn private					conn private
        auto=ignore				        auto=ignore

conn private-or-clear				conn private-or-clear
        auto=ignore				        auto=ignore

conn clear-or-private				conn clear-or-private
        auto=ignore				        auto=ignore

conn clear					conn clear
        auto=ignore				        auto=ignore

conn packetdefault				conn packetdefault
        auto=ignore				        auto=ignore

More information about the Dev mailing list