[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Xiaoming Yu
xiaoming at us.ibm.com
Thu Jun 17 16:50:37 CEST 2004
Thanks for the reply from you and Mike. You two basically point to the same
conclusion, that is use RSA instead of preshared key. That makes sense
since the NAT won't alter the RSA signature, while preshared key query
depends on the IP address that is modified by the NAT box.
My only problem is certificate is more complicated than preshared key, and
I haven't fully understand (or read thoroughly) what I should do if the
other side is not a Linux, for example, an IBM iSeries. Instead of get a
real certificate, can I create the RSA signature on Linux for both sides
and export to the other non-Linux platform?
Also, I do know a lot of other vendors support the wildcard preshared key
for this kind of scenario in case server has no prior knowledge of the
clients, like Cisco router and IBM iSeries. Is this the conclusion openswan
has no such capability with preshared key?
Thank you so much.
Xiaoming Yu
Dept. MR6, VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com
<giovanni.m at agile
movement.it>
To
06/17/2004 01:59 Xiaoming Yu/Rochester/IBM at IBMUS,
PM "Paul Wouters" <paul at xelerance.com>
cc
<users at lists.openswan.org>
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
Xiaoming Yu <xiaoming at us.ibm.com> said:
>
> Paul:
>
> I tried %any in the config file and it found a connection and went a step
> further. But it failed to find the preshared key in the ipsec.secrets
> because I am stilling using the private IP there. Previous argument will
> apply there since the server doesn't have the knowledge of NAT before the
> packets come in, so I also need to use wildcard. I used %any to replace
the
> ip address for the remote side, but still failed with "no preshared key
> found" error. How can I overcome this? Thanks.
Xiaoming,
I think I'm in the same configuration as you. My configuration works (but I
am
using certificates rather than preshared keys). Perhaps looking at my conf
files will help?
Conf file for nat'd server:
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
#keyingretries=0
leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
left=192.168.0.1
leftnexthop=192.168.0.254
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
leftcert=certs/swanCert.pem
auto=start
conn milano-roma
right=83.x.x.x
rightsubnet=10.10.15.0/24
rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
auto=start
pfs=yes
conf file for none nat'd server:
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug="parsing control"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0
/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24
# Global connection defaults
conn %default
#keyingretries=0
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
left=83.x.x.x
leftnexthop=83.x.x.x
leftsubnet=10.10.15.0/24
leftrsasigkey=%cert
leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
leftcert=certs/swanCert.pem
auto=add
conn milano-roma
type=tunnel
leftsubnet=10.10.15.0/24
right=%any
rightrsasigkey=%cert
rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
auto=add
rightsubnet=vhost:%no,%priv
More information about the Users
mailing list