[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

giovanni.m at agilemovement.it giovanni.m at agilemovement.it
Thu Jun 17 19:59:42 CEST 2004 

Xiaoming Yu <xiaoming at us.ibm.com> said:

> 
> Paul:
> 
> I tried %any in the config file and it found a connection and went a step
> further. But it failed to find the preshared key in the ipsec.secrets
> because I am stilling using the private IP there. Previous argument will
> apply there since the server doesn't have the knowledge of NAT before the
> packets come in, so I also need to use wildcard. I used %any to replace the
> ip address for the remote side, but still failed with "no preshared key
> found" error. How can I overcome this? Thanks.

Xiaoming,

I think I'm in the same configuration as you. My configuration works (but I am
using certificates rather than preshared keys). Perhaps looking at my conf
files will help?

Conf file for nat'd server:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        #keyingretries=0
        leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
        left=192.168.0.1
        leftnexthop=192.168.0.254
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        leftcert=certs/swanCert.pem
        auto=start

conn milano-roma
        right=83.x.x.x
        rightsubnet=10.10.15.0/24
        rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        auto=start
        pfs=yes

conf file for none nat'd server:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug="parsing control"
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes
       
virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24

# Global connection defaults

conn %default
        #keyingretries=0
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        left=83.x.x.x
        leftnexthop=83.x.x.x
        leftsubnet=10.10.15.0/24
        leftrsasigkey=%cert
        leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        leftcert=certs/swanCert.pem
        auto=add

conn milano-roma
        type=tunnel
        leftsubnet=10.10.15.0/24
        right=%any
        rightrsasigkey=%cert
        rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
        auto=add
        rightsubnet=vhost:%no,%priv

More information about the Users mailing list