[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Paul Wouters
paul at xelerance.com
Thu Jun 17 20:48:26 CEST 2004
On Thu, 17 Jun 2004, Xiaoming Yu wrote:
>
> I did some search on google and got some idea on this error message. It
> could mean I don't have a connection set up from the NAT box (it was set up
> to connect to the one behind NAT). If this is true, somehow I need to put
> the IP of NAT box in the config file, which is not realistic in the real
> scenario. I am wondering if I can put some type of wildcard in the
> ipsec.conf file, so the connection can be used for all the connection
> matching the wild card. Seems to be it is a reasonable requirement. This
> should be a general freeswan question, but mostly run into this when NAT-T
> is required? Any thoughts?
right=%any
> Has anybody here tried NAT-T with Linux as the responder?
Many people run VPN servers based on Openswan with nat-t support for roaming
ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
be able to use the right/left ids in raw rsa key as well.
> responder? If so, which draft version does it support? What's "no
> connection has been authorized" mean?
It couldn't match the src-dst request with one of its loaded conn definitions.
With nat-t this is usually a problem with people forgetting to add
nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
settings.
Paul
More information about the Users
mailing list