[Openswan Users] vpn server and DNAT
tgrzelak at wktpolska.com.pl
Fri Dec 17 11:43:43 CET 2004
Is it possible to have a vpn server in a LAN (with private IP)? I'm trying to
get the topology below working:
[vpn client] ------------ eth1[router]eth0 ------------ eth2[vpn server]
eth1=xx.xx.xx.xx (public IP)
eth0=yy.yy.yy.yy (private IP)
eth2=yy.yy.yy.zz (private IP)
The router is DNAT'ing UDP[500, 4500] from xx.xx.xx.xx to yy.yy.yy.zz.
When a client tries to connect, an SA is established (using a tunnel mode
(NAT-T)), but L2TP connection fails - openswan does not reply to a client,
and in the /var/log/auth.log I have: "Cannot respond to IPSec SA request
because no connection is known for xx.xx.xx.xx".
I'm using Debian+kernel 2.6.9+OpenSwan 2.2.0
I'd like to mention, that the opposite situation (meaning a client from a LAN
and behind NAT is able to connect the vpn server).
More information about the Users