[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Ken Bantoft
ken at xelerance.com
Fri Jun 18 04:13:55 CEST 2004
On Thu, 17 Jun 2004, Paul Wouters wrote:
> On Thu, 17 Jun 2004, Xiaoming Yu wrote:
>
> > I did some search on google and got some idea on this error message. It
> > could mean I don't have a connection set up from the NAT box (it was set up
> > to connect to the one behind NAT). If this is true, somehow I need to put
> > the IP of NAT box in the config file, which is not realistic in the real
> > scenario. I am wondering if I can put some type of wildcard in the
> > ipsec.conf file, so the connection can be used for all the connection
> > matching the wild card. Seems to be it is a reasonable requirement. This
> > should be a general freeswan question, but mostly run into this when NAT-T
> > is required? Any thoughts?
>
> right=%any
>
> > Has anybody here tried NAT-T with Linux as the responder?
>
> Many people run VPN servers based on Openswan with nat-t support for roaming
> ADSL/dialup/gprs machines. Mostly using X.509 certificates, but you should
> be able to use the right/left ids in raw rsa key as well.
RSASig works perfectly - I do this daily. I have 2 X.509 and 2 RSASig
tunnels that I connect to from behind all sorts of hostile NAT boxes.
> > responder? If so, which draft version does it support? What's "no
> > connection has been authorized" mean?
>
> It couldn't match the src-dst request with one of its loaded conn definitions.
> With nat-t this is usually a problem with people forgetting to add
> nat_traversal=yes, or with missing/invalid virtual_private or subnetwithin
> settings.
or rightsubnet=vhost:%no,%priv missing on the respondor side.
Ken
More information about the Users
mailing list