[Openswan Users] [NAT-T] one side thinks "established", the
other...doesn't.
Paul Wouters
paul at xelerance.com
Fri Jul 2 01:29:17 CEST 2004
On Fri, 2 Jul 2004, Ferdinand O. Tempel wrote:
> 192.168.1.200 (right) == (192.168.1.1 X 10.164.10.1) --- 10.100.100.2 ==
> 10.100.100.1 (left)
>
> 192.168.1.200 is a 2.6.7 based client running openswan-2.2.0dr1 on
> native ipsec using NAT-T. The thing in the middle between braces is a
> dumb NAT box which NATs 192.168.1.0/24 to 10.164.10.1. The 10.100.100.2
> is the gateway for 10.100.100.1, which is the receiving ipsec server
> (2.6.6, native ipsec, openswan-2.2.0dr1).
>
> The setup is pretty simple, just your basic PSK ipsec connection:
>
> left:
> conn nattest
> left=%defaultroute
> right=%any
Just a note, having a dynamic left and right can be tricky and might
confuse pluto. You might be better of using an IP or hostname (or hostname
in dyndns) instead.
> rightsubnet=192.168.1.200/32
> authby=secret
> auto=ignore
Do not put rightsubnet= statements for the natted private space there.
auth=ignore says this connection is not loaded? It seems you are withholding
information :) You should have auto=add or auto=start.
> right:
> conn nattest
> right=%defaultroute
> left=10.100.100.1
> leftnexthop=10.100.100.2
> authby=secret
> auto=ignore
Same ignore here.
Note that both ends should include 192.168.1.0/24 in a virtual_private or
subnetwithin decleration, and should NOT have the 10.100.100 in there.
(usually people put all of 192.168/16 and 10/8 in there)
Paul
--
<Reverend> IRC is just multiplayer notepad.
More information about the Users
mailing list