[Openswan Users] [NAT-T] one side thinks "established", the other...doesn't.

Ferdinand O. Tempel pw at linuxops.net
Fri Jul 2 01:40:40 CEST 2004

On Fri, 2004-07-02 at 00:29, Paul Wouters wrote:
> > left:
> > conn nattest
> >   left=%defaultroute
> >   right=%any
> Just a note, having a dynamic left and right can be tricky and might
> confuse pluto. You might be better of using an IP or hostname (or hostname
> in dyndns) instead.

I'll make it more explicit on the next test, tomorrow. It might be the
problem, though it does seem to work fine up until it's time to talk

> >   rightsubnet=
> >   authby=secret
> >   auto=ignore
> Do not put rightsubnet= statements for the natted private space there.
> auth=ignore says this connection is not loaded? It seems you are withholding
> information :) You should have auto=add or auto=start.

To be able to catch a decent, trackable logging output I --add and --up
the connections manually :P This is just a testing connection, nothing

I'm following the README for NAT-T, and Jacco's docs which both state
that this one of three methods of identifying the private address
*behind* the NAT is valid, and should work.

  o Using Tunnel mode with roadwarriors, you will need to specify the
    IP in the FreeS/WAN Configuration or use Virtual IP (see below).

Are you saying that both sets of documentation are outdated or wrong?

> > right:
> > conn nattest
> >   right=%defaultroute
> >   left=
> >   leftnexthop=
> >   authby=secret
> >   auto=ignore
> Same ignore here.

Same reason here :P

> Note that both ends should include in a virtual_private or
> subnetwithin decleration, and should NOT have the 10.100.100 in there.
> (usually people put all of 192.168/16 and 10/8 in there)

Actually, it's either rightsubnet *OR* virtual_private *OR*
subnetwithin...unless I read something wrong. Right?

Anyway, thanks for the prompt answer. I'm going to have a whack at one
of the other methods of identifying the NAT'ed client tomorrow. I'll get
back to you on this. If in the meantime anyone else has suggestions...


Ferdinand O. Tempel

Your friendly neighborhood linuxops.net administrator.

More information about the Users mailing list