[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Paul Wouters
paul at xelerance.com
Fri Jun 18 01:18:28 CEST 2004
On Thu, 17 Jun 2004, Xiaoming Yu wrote:
> Thanks for the reply from you and Mike. You two basically point to the same
> conclusion, that is use RSA instead of preshared key. That makes sense
> since the NAT won't alter the RSA signature, while preshared key query
> depends on the IP address that is modified by the NAT box.
>
> My only problem is certificate is more complicated than preshared key, and
> I haven't fully understand (or read thoroughly) what I should do if the
We did not say X509 certificates. We said "raw rsa keys"
Just run 'ipsec showhostkey --left' (or right) on both ands and put the output
lines in the conn, so you get something like:
conn connname
left=193.110.157.5
leftid=@myleftboxid
leftrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
right=193.110.157.1
rightid=@myrightboxid
rightrsasigkey=0sAQOARC9BlnBd3LedOM70oF3d57/nwzx4F5tWEtdWcecTquefc6hnu3Kxa32rJ4cLxmmK4ugfKx/a7CRBuxhGRS4MTOu2gPNpUNRecpIJcyg51D6CyDh9JrvfjFOCzIGOQyQku4xfR9rjZ2j3DGHWDZzW6YQPK3oZMBb+gPhEWhrR+avdPp+f7doUiMidUNrO6TwN/IMpJAC2lxw7jfupOvevDxsqx5OCN+qak+d8m9ueoixX4/fMlMTOUIXtKDeij+Y+faAOICEl+ZSRBhpMlvjT3AyjFZFPbms+9jCR04VcYESPYLM8xHa1Pn2OqQrLp5dMt0Uv+sAnL2/zOCwJpQ2IuTiFFhtyFQGOXrvu8G6Iv6z7
authby=rsasig
auto=route
Paul
--
<Reverend> IRC is just multiplayer notepad.
More information about the Users
mailing list