[Openswan Users] road warrior to nat'ed gateway

Noel Clarkson noel.clarkson at vic.uca.org.au
Sat Jun 19 00:40:57 CEST 2004


Thanks, found the logs and can now see that the problem is probably in
my config.  I'm trying to get:

road warrior  -----  router  ----- freeswan ----  internal network
x.x.x.x              220.240.x.x/   192.168.1.3/   10.0.0.0
                        192.168.1.1    10.0.0.155

So the nat-ing I'm refering to is because the freeswan box sits behind a
router that has the external ip whereas the freeswan box doesn't, but
the router passes any of the traffic needed for ipsec straight through
to the freeswan box (that part is working fine, it's the return journey
thats not so smooth).

At the moment I get (/var/log/auth.log on gateway (auth.log isdebians
secure log)):

Jun 18 23:56:25 melvpn01 Pluto[7673]: "rwgw" 202.161.98.44 #8: cannot
respond to IPsec SA request because no connection is known for
10.0.0.0/8===192.168.1.3[@gw.xxx]...202.161.98.44[@rw.xxx] 


I looked at a few examples from the freeswan docs and tried to combine a
road warrior one with a nated gateway which looked like what I've got,
but I must be getting something wrong as I'm guessing the === is
supposed to be the ipsec tunnel which is in the wrong place.  But am I
just using the wrong terminology or is this only possible with the nat
stuff in openswan (my work is pretty keen to stick with the debian
stable stuff on the gateway which leaves me a little behind the
times!!).  If that's the case then I guess I'll have to see if my work
is willing to go with the necessary updates.

The connection configs are below.
gw config
conn rwgw
        leftid=@rw.xxx
        leftrsasigkey=key1here
        left=%any
        leftsubnet=
        rightid=@gw.xxx
        rightrsasigkey=otherkeyhere
        right=%defaultroute
        rightsubnet=10.0.0.0/24
        auto=add

rw config
conn rwgw
        leftid=@rw.xxx
        leftrsasigkey=key1here
        left=%defaultroute
        leftsubnet=
        rightid=@gw.xxx
        rightrsasigkey=otherkeyherec
        right=220.240.x.x
        rightsubnet=10.0.0.0/8
        auto=start

                                    
~
I think I'm still not quite getting the
right/left/rightnexthop/leftnexthop values and how they relate to
different setups.  Hopefully a reread and some sleep and it might become
clear to me.

Thanks again for your pointers,

cheers,

noel


On Fri, 2004-06-18 at 20:27, Paul Wouters wrote:
> On Fri, 18 Jun 2004, Noel Clarkson wrote:
> 
> > I've gat a RH9 FreeSwan 2.06 road warrior trying to connect to a debian 
> > stable FreeSwan 1.96 that's NATed through a router.   I've looked at the 
> 
> Freeswan 1.x and 2.x do not support NAT traversal unless you matched them
> manually. Use Openswan instead.
> 
> > various indicators and it gets through isakmp: phase 1 okay but then all I 
> > see from a tcpdump is traffic going from the
> 
> Please use the logs (normally /var/log/secure) to find out the problems. They
> will tell you a lot more then tcpdump.
> 
> Paul 



More information about the Users mailing list