[Openswan Users] openswan and red hat enterprise
paul at xelerance.com
Fri Apr 2 13:45:40 CEST 2004
On Fri, 2 Apr 2004, Stephen Wong wrote:
> Thanks for your kindly help Paul. On the WinXP end, I am using SSH Sentinel
> 1.4, therefore, I don't have the ipsec.conf for you.
> Let me clarify a bit, there are totally 3 senerios,
> 1. The server side ipsec.conf I posted last time work fine with the SSH
> Sentinel client when both client and server is directly connected to the
> Internet. And everything works fine after the connect is established, i.e.
> can ping, can telnet, etc.
> 2. When client is hide behind NAT firewall, preshare secret mode can
> connect, but cannot even ping.
> 3. When client is hide behind NAT firewall and using X509 certificate, the
> server keep on waiting for MI3 and retransmission of STATE_MAIN_R2.
If you want a single connection definition to work both with and without NAT,
you need to have something like
This ensures that connections from a direct IP (no "subnet" on client) and from a NATed
IP ("subnet" in private space) are allowed.
You will also need something like :
in the config setup section. This example here says all private space
can reside at the client, EXCEPT 192.168.0.0/23. The exception is needed
for the private space address range in use on the server side. (otherwise
you could create a connection with the same private space IP address on
both ends of the connection.
Please see the section on X509 and NAT in the documentation.
More information about the Users