[Openswan Users] [NAT-T] one side thinks "established", the other...doesn't.

Paul Wouters paul at xelerance.com
Fri Jul 2 01:29:17 CEST 2004

On Fri, 2 Jul 2004, Ferdinand O. Tempel wrote:

> (right) == ( X --- ==
> (left)
> is a 2.6.7 based client running openswan-2.2.0dr1 on
> native ipsec using NAT-T. The thing in the middle between braces is a
> dumb NAT box which NATs to The
> is the gateway for, which is the receiving ipsec server
> (2.6.6, native ipsec, openswan-2.2.0dr1).
> The setup is pretty simple, just your basic PSK ipsec connection:
> left:
> conn nattest
>   left=%defaultroute
>   right=%any

Just a note, having a dynamic left and right can be tricky and might
confuse pluto. You might be better of using an IP or hostname (or hostname
in dyndns) instead.

>   rightsubnet=
>   authby=secret
>   auto=ignore

Do not put rightsubnet= statements for the natted private space there.
auth=ignore says this connection is not loaded? It seems you are withholding
information :) You should have auto=add or auto=start.
> right:
> conn nattest
>   right=%defaultroute
>   left=
>   leftnexthop=
>   authby=secret
>   auto=ignore

Same ignore here.

Note that both ends should include in a virtual_private or
subnetwithin decleration, and should NOT have the 10.100.100 in there.
(usually people put all of 192.168/16 and 10/8 in there)


<Reverend> IRC is just multiplayer notepad.

More information about the Users mailing list