[Openswan Users] Problems with OpenSwan - Win2K both behind NAT
Paul Wouters
paul at xelerance.com
Fri Jul 2 01:10:49 CEST 2004
On Thu, 1 Jul 2004, Sauro Saltini wrote:
> Trying to connect from the same clients placed behind a NAT gateway
> the first part of the connection seems ok (ISAKMP SA established) but
> after this i receive the message:
>
> cannot respond to IPsec SA request because no connection is known for
> 192.168.1.0/24===192.168.2.2:4500[<Certificate for
> OpenSwan>]...xxx.xxx.xxx.xxx:4500[<Certificate for Win2k
> Client>]===192.168.99.146/32
>
> where xxx.xxx.xxx.xxx is the public address of NAT box at client side
> and 192.168.99.146/32 is the client LAN IP.
>
> in my ipsec.conf I have configured two connections :
>
> conn roadwarrior-net
> leftsubnet=192.168.1.0/24
> also=roadwarrior
>
> conn roadwarrior
> left=192.168.2.2
> leftnexthop=192.168.2.1
> leftcert=xxxxx.pem
> right=%any
> pfs=yes
> auto=add
>
> When I connect with a client with real IP assigned the connection
> roadwarrior-net is started and IPsec SA is established correctly.
It looks like your Openswan end doesn't have 192.168.99.146/32 as a
possible private space behind NAT subnet. Is it part of your
virtual_private or part of a subnetwithin definition?
Paul
--
<Reverend> IRC is just multiplayer notepad.
More information about the Users
mailing list