[Openswan dev] questions based on the VPN behind the NAT Box.

Shi Lang shilang at greenpacket.com
Wed Jan 18 09:09:33 CET 2006

Hi all,


I have two questions based on the VPN behind the NAT Box.



( VPN1 ( --- (br0: NAT1 (eth0:  -----  (eth0: NAT2 (br0:
--- ( VPN2 (


NAT1 and NAT2 and Linux OS.


On NAT1 Pure Linux PC I did:

1. ifconfig eth0:1        * is the mapping
ip of, the VPN1's external interface eth0.

2. iptables -t nat -I POSTROUTING 1 -s -j SNAT --to-source

3. iptables -t nat -I POSTROUTING 1 -d -j DNAT --to-dest


I also did settings on NAT2, mapping to




I have successfully established the tunnel between VPN1 and VPN2.



1.  But my first try is without Leftid and Rightid in the ipsec.conf in VPN1
and VPN2,

it failed to establish the M3 negotiation (m1 and m2 in Main Mode is ok, i
checked with 'ipsec auto --status').

IKE RFC 2409 says: Main Mode, the last two messages authenticate the DH


2.  But if VPN1 direct to VPN2 (without NAT Box), then without leftid and
rightid can establish the tunnel at this time.




My questions:



I am wonderring what purpose of the system identifier id (left and right) in
the ipsec.conf?

I refered some papers, but i am still in the mist.


Hope to get advise from you, especially why specify the 'left=ip' and
'right=ip' are not enough for such case vpn behind NAT Box(firewall). why
need leftid and rightid?



I used pure linux os as a NAT1 and NAT2 firewall, but once i restart, the
ipconfig eth0:1, and iptables setting will be lost, i need to redo the three

I am wonderring also at this time, for this case, any other way can
configure the linux to be permanent has the above three settings?





Thanks very much.




Shi Lang

Quality Assurance Engineer

GreenPacket Bhd

www.greenpacket.com <http://www.greenpacket.com/>  

Tel: 006-03-89966022 ext: 105
E-mail:  <mailto:shilang at greenpacket.com> shilang at greenpacket.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20060118/acfe4721/attachment.htm

More information about the Dev mailing list