[Openswan Users] Re: NAT Traversal support with openswan

Xiaoming Yu xiaoming at us.ibm.com
Tue Jun 22 15:25:46 CEST 2004 

Nate:

Sorry to bother you again. I have some difficulty finding any information
on Xsubnet=vhost stuff you pointed out. Didn't find anything on google and
other freeswan web sites. I am still new with freeswan configuration. I
need to understand where I should put this and at least understand some on
what it is for.

Thanks.

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com





                                                                           
             Nate Carlson                                                  
             <natecars at natecar                                             
             lson.com>                                                  To 
                                       Xiaoming Yu/Rochester/IBM at IBMUS     
             06/22/2004 11:31                                           cc 
             AM                        Paul Wouters <paul at xelerance.com>,  
                                       users at lists.openswan.org            
                                                                   Subject 
                                       Re: [Openswan Users] Re: NAT        
                                       Traversal support with openswan     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Tue, 22 Jun 2004, Xiaoming Yu wrote:
> I removed the nexthop for left (client side). I tried with both the
> private IP address and the IP address of the NAT box. Both gave me the
> error "no connection authorized". I am very confused by this. From the
> Linux point of view, it received a packet from NAT box (9.5.56.169), and
> somehow he analyzed the packets and knew it was actually from
> 9.5.56.160. So it doesn't like either way? Is it a reasonable
> explanation?

Ah, you'll also need to specify Xsubnet=vhost:%no,%priv (double-check the
syntax), and define %priv to include any networks that the boxes would be
on. Alternatively, do vhost:%no,%all for testing. This will allow the
internal IP of the box (it's encoded in the ipsec headers) to connect.

> Then this only leaves me one option, which is using %any for left. Then
> I got back the error I have described in detail before. It cannot find
> the matching preshared key in ipsec.secrets. It still remember %any I
> specified before.
>
> I really don't think this is not that uncommon and somebody in this
> community should have tried that. Success or not, that is thing I am
> trying to find out.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

More information about the Users mailing list