[Openswan Users] openswan and red hat enterprise

Paul Wouters paul at xelerance.com
Fri Apr 2 13:45:40 CEST 2004


On Fri, 2 Apr 2004, Stephen Wong wrote:

> Thanks for your kindly help Paul.  On the WinXP end, I am using SSH Sentinel
> 1.4, therefore, I don't have the ipsec.conf for you.
> 
> Let me clarify a bit, there are totally 3 senerios,
> 
> 1. The server side ipsec.conf I posted last time work fine with the SSH
> Sentinel client when both client and server is directly connected to the
> Internet.  And everything works fine after the connect is established, i.e.
> can ping, can telnet, etc.
> 
> 2. When client is hide behind NAT firewall, preshare secret mode can
> connect, but cannot even ping.
> 
> 3. When client is hide behind NAT firewall and using X509 certificate, the
> server keep on waiting for MI3 and retransmission of STATE_MAIN_R2.

If you want a single connection definition to work both with and without NAT,
you need to have something like 

rightsubnet=vhost:%no,%priv

This ensures that connections from a direct IP (no "subnet" on client) and from a NATed
IP ("subnet" in private space) are allowed.

You will also need something like :

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/23

in the config setup section. This example here says all private space
can reside at the client, EXCEPT 192.168.0.0/23. The exception is needed
for the private space address range in use on the server side. (otherwise
you could create a connection with the same private space IP address on
both ends of the connection.

Please see the section on X509 and NAT in the documentation.

Paul



More information about the Users mailing list