[Openswan Users] [NAT-T] one side thinks "established", the other...doesn't.

Paul Wouters paul at xelerance.com
Fri Jul 2 01:29:17 CEST 2004


On Fri, 2 Jul 2004, Ferdinand O. Tempel wrote:

> 192.168.1.200 (right) == (192.168.1.1 X 10.164.10.1) --- 10.100.100.2 ==
> 10.100.100.1 (left)
> 
> 192.168.1.200 is a 2.6.7 based client running openswan-2.2.0dr1 on
> native ipsec using NAT-T. The thing in the middle between braces is a
> dumb NAT box which NATs 192.168.1.0/24 to 10.164.10.1. The 10.100.100.2
> is the gateway for 10.100.100.1, which is the receiving ipsec server
> (2.6.6, native ipsec, openswan-2.2.0dr1).
> 
> The setup is pretty simple, just your basic PSK ipsec connection:
> 
> left:
> conn nattest
>   left=%defaultroute
>   right=%any

Just a note, having a dynamic left and right can be tricky and might
confuse pluto. You might be better of using an IP or hostname (or hostname
in dyndns) instead.

>   rightsubnet=192.168.1.200/32
>   authby=secret
>   auto=ignore

Do not put rightsubnet= statements for the natted private space there.
auth=ignore says this connection is not loaded? It seems you are withholding
information :) You should have auto=add or auto=start.
 
> right:
> conn nattest
>   right=%defaultroute
>   left=10.100.100.1
>   leftnexthop=10.100.100.2
>   authby=secret
>   auto=ignore

Same ignore here.

Note that both ends should include 192.168.1.0/24 in a virtual_private or
subnetwithin decleration, and should NOT have the 10.100.100 in there.
(usually people put all of 192.168/16 and 10/8 in there)

Paul
-- 

<Reverend> IRC is just multiplayer notepad.




More information about the Users mailing list