[Openswan Users] X.509 and NAT-T setup.
Dennis Boylan
openswan at b-lan.com
Fri Mar 26 15:51:47 CET 2004
Well, I think I've gotten all of the software compiled to do this using
2.1.1.
IPSEC startup does not tell me that NAT-T is disabled.
I've been playing with this and seem to be missing something.
Desired functionality:
Remote PCs with Windows 2000/XP and Linux with IPSEC VPN.
IPSEC VPN over wireless
Wireless and remote pcs may or may not be behind a NAT.
I'm trying to test the wireless setup under Linux before I brave
the world of Microsoft.
The gateway server has 3 interfaces.
Eth0 = Dynamic
Eth1 = 192.168.125.1/24 Server Lan
Eth2 = 192.168.124.1/24 Wireless Lan
On the gateway machine, I have:
config setup
interfaces="%defaultroute ipsec1=eth2"
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn wireless
right=%any
rightcert=ibm600e.pem
left=192.168.124.1
leftcert=gateway.pem
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
On the ibm600, I have:
config setup
interfaces=%defaultroute
plutodebug=none
uniqueids=yes
dumpdir=/tmp
nat_traversal=yes
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn wireless
left=192.168.124.1
leftcert=gateway.pem
right=%defaultroute
rightcert=ibm600e.pem
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
What am I missing?
- Dennis
More information about the Users
mailing list