[Openswan Users] openswan and red hat enterprise

Stephen Wong stephen.wong at avacue.com
Fri Apr 2 20:18:14 CEST 2004

Thanks for your kindly hint.

Added the virtual_private as mentioned in previous mail and also the
rightsubnet line.  The problem still persist.  Any idea ?

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Stephen Wong" <stephen.wong at avacue.com>
Cc: <users at lists.openswan.org>
Sent: Fri, Apr 02, 2004 18:45
Subject: Re: [Openswan Users] openswan and red hat enterprise

> On Fri, 2 Apr 2004, Stephen Wong wrote:
> > Thanks for your kindly help Paul.  On the WinXP end, I am using SSH
> > 1.4, therefore, I don't have the ipsec.conf for you.
> >
> > Let me clarify a bit, there are totally 3 senerios,
> >
> > 1. The server side ipsec.conf I posted last time work fine with the SSH
> > Sentinel client when both client and server is directly connected to the
> > Internet.  And everything works fine after the connect is established,
> > can ping, can telnet, etc.
> >
> > 2. When client is hide behind NAT firewall, preshare secret mode can
> > connect, but cannot even ping.
> >
> > 3. When client is hide behind NAT firewall and using X509 certificate,
> > server keep on waiting for MI3 and retransmission of STATE_MAIN_R2.
> If you want a single connection definition to work both with and without
> you need to have something like
> rightsubnet=vhost:%no,%priv
> This ensures that connections from a direct IP (no "subnet" on client) and
from a NATed
> IP ("subnet" in private space) are allowed.
> You will also need something like :
> in the config setup section. This example here says all private space
> can reside at the client, EXCEPT The exception is needed
> for the private space address range in use on the server side. (otherwise
> you could create a connection with the same private space IP address on
> both ends of the connection.
> Please see the section on X509 and NAT in the documentation.
> Paul

More information about the Users mailing list