[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Paul Wouters paul at xelerance.com
Thu Jun 17 20:48:26 CEST 2004


On Thu, 17 Jun 2004, Xiaoming Yu wrote:

> 
> I did some search on google and got some idea on this error message. It
> could mean I don't have a connection set up from the NAT box (it was set up
> to connect to the one behind NAT). If this is true, somehow I need to put
> the IP of NAT box in the config file, which is not realistic in the real
> scenario. I am wondering if I can put some type of wildcard in the
> ipsec.conf file, so the connection can be used for all the connection
> matching the wild card. Seems to be it is a reasonable requirement. This
> should be a general freeswan question, but mostly run into this when NAT-T
> is required? Any thoughts?

right=%any
 
> Has anybody here tried NAT-T with Linux as the responder? 

Many people run VPN servers based on Openswan with nat-t support for roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.

> responder? If so, which draft version does it support? What's "no
> connection has been authorized" mean? 

It couldn't match the src-dst request with one of its loaded conn definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.

Paul



More information about the Users mailing list