[Openswan Users] Problems with OpenSwan - Win2K both behind NAT
-SOLVED-
Sauro Saltini
saltini at shc.it
Fri Jul 2 16:33:40 CEST 2004
Paul Wouters wrote:
> On Thu, 1 Jul 2004, Sauro Saltini wrote:
>
>
>>Trying to connect from the same clients placed behind a NAT gateway
>>the first part of the connection seems ok (ISAKMP SA established) but
>>after this i receive the message:
>>
>>cannot respond to IPsec SA request because no connection is known for
>>192.168.1.0/24===192.168.2.2:4500[<Certificate for
>>OpenSwan>]...xxx.xxx.xxx.xxx:4500[<Certificate for Win2k
>>Client>]===192.168.99.146/32
>>
>>where xxx.xxx.xxx.xxx is the public address of NAT box at client side
>>and 192.168.99.146/32 is the client LAN IP.
>>
>>in my ipsec.conf I have configured two connections :
>>
>>conn roadwarrior-net
>> leftsubnet=192.168.1.0/24
>> also=roadwarrior
>>
>>conn roadwarrior
>> left=192.168.2.2
>> leftnexthop=192.168.2.1
>> leftcert=xxxxx.pem
>> right=%any
>> pfs=yes
>> auto=add
>>
>>When I connect with a client with real IP assigned the connection
>>roadwarrior-net is started and IPsec SA is established correctly.
>
>
> It looks like your Openswan end doesn't have 192.168.99.146/32 as a
> possible private space behind NAT subnet. Is it part of your
> virtual_private or part of a subnetwithin definition?
>
> Paul
I've missed completely to define virtual_private and rightsubnet...sorry!
Now it works perfectly, many thanks.
Sauro
More information about the Users
mailing list