[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Paul Wouters paul at xelerance.com
Fri Jun 18 01:18:28 CEST 2004


On Thu, 17 Jun 2004, Xiaoming Yu wrote:

> Thanks for the reply from you and Mike. You two basically point to the same
> conclusion, that is use RSA instead of preshared key. That makes sense
> since the NAT won't alter the RSA signature, while preshared key query
> depends on the IP address that is modified by the NAT box.
> 
> My only problem is certificate is more complicated than preshared key, and
> I haven't fully understand (or read thoroughly) what I should do if the

We did not say X509 certificates. We said "raw rsa keys"

Just run 'ipsec showhostkey --left' (or right) on both ands and put the output
lines in the conn, so you get something like:

conn connname
        left=193.110.157.5
	leftid=@myleftboxid
        leftrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
        right=193.110.157.1
	rightid=@myrightboxid
        rightrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
        authby=rsasig
        auto=route

Paul
-- 

<Reverend> IRC is just multiplayer notepad.




More information about the Users mailing list