[Openswan Users] openswan and red hat enterprise
Stephen Wong
stephen.wong at avacue.com
Fri Apr 2 20:18:14 CEST 2004
Thanks for your kindly hint.
Added the virtual_private as mentioned in previous mail and also the
rightsubnet line. The problem still persist. Any idea ?
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Stephen Wong" <stephen.wong at avacue.com>
Cc: <users at lists.openswan.org>
Sent: Fri, Apr 02, 2004 18:45
Subject: Re: [Openswan Users] openswan and red hat enterprise
> On Fri, 2 Apr 2004, Stephen Wong wrote:
>
> > Thanks for your kindly help Paul. On the WinXP end, I am using SSH
Sentinel
> > 1.4, therefore, I don't have the ipsec.conf for you.
> >
> > Let me clarify a bit, there are totally 3 senerios,
> >
> > 1. The server side ipsec.conf I posted last time work fine with the SSH
> > Sentinel client when both client and server is directly connected to the
> > Internet. And everything works fine after the connect is established,
i.e.
> > can ping, can telnet, etc.
> >
> > 2. When client is hide behind NAT firewall, preshare secret mode can
> > connect, but cannot even ping.
> >
> > 3. When client is hide behind NAT firewall and using X509 certificate,
the
> > server keep on waiting for MI3 and retransmission of STATE_MAIN_R2.
>
> If you want a single connection definition to work both with and without
NAT,
> you need to have something like
>
> rightsubnet=vhost:%no,%priv
>
> This ensures that connections from a direct IP (no "subnet" on client) and
from a NATed
> IP ("subnet" in private space) are allowed.
>
> You will also need something like :
>
>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.0.0/23
>
> in the config setup section. This example here says all private space
> can reside at the client, EXCEPT 192.168.0.0/23. The exception is needed
> for the private space address range in use on the server side. (otherwise
> you could create a connection with the same private space IP address on
> both ends of the connection.
>
> Please see the section on X509 and NAT in the documentation.
>
> Paul
>
More information about the Users
mailing list