[Openswan Users] vpn server and DNAT

Tomasz Grzelak tgrzelak at wktpolska.com.pl
Fri Dec 17 11:43:43 CET 2004


Is it possible to have a vpn server in a LAN (with private IP)? I'm trying to 
get the topology below working:

[vpn client] ------------ eth1[router]eth0 ------------ eth2[vpn server]

eth1=xx.xx.xx.xx (public IP)
eth0=yy.yy.yy.yy (private IP)
eth2=yy.yy.yy.zz (private IP)

The router is DNAT'ing UDP[500, 4500] from xx.xx.xx.xx to yy.yy.yy.zz.

When a client tries to connect, an SA is established (using a tunnel mode 
(NAT-T)), but L2TP connection fails - openswan does not reply to a client, 
and in the /var/log/auth.log I have: "Cannot respond to IPSec SA request
because no connection is known for xx.xx.xx.xx".

I'm using Debian+kernel 2.6.9+OpenSwan 2.2.0


I'd like to mention, that the opposite situation (meaning a client from a LAN 
and behind NAT is able to connect the vpn server).

More information about the Users mailing list