[Openswan Users] Fedora Core2, Openswan 2.2.x, VPN & NAT-T

Nico Baggus mlfreeswan at noci.xs4all.nl
Fri Nov 5 20:11:25 CET 2004


PLease search through the archives, last year I ve investigated problems I had 
with Zyxel equipment. Their implementation has some Quirqs

1st, The longest time you can setup is 3600 seconds.
2nd, They assume the Phase1 & Phase2 SA's only occur together f.e.
 when the zyxel drops a connection, Zyxel will correctly Tell the remote
 to drop the Phase1 SA, but then WONT drop the Phase2 SA.
 The Zyxel will drop the Phase2 SA exactly 60 seconds after the Phase1.

Still having a Phase2 SA, OpenSwan/FreeSwan will continue to transmit data, 
but alas no more tunnel. (DPD might resolve this, I have not tested that,
then there was non DPD available and now that Zyxel is in production and i 
can't experiment anymore.  The previous post exactly describe what I did.

Kind Regards,

Nico Baggus..

Oh, BTW please ensure you have firmware from after may this year older 
firmware has some additional problems when running more than 1 live tunnel
from a Zyxel.



On Friday 05 November 2004 18:54, Roberto Fichera wrote:
> Hi All,
>
> I would like to configure a box with Fedora Core2 (kernel 2.6.8-1.521) +
> Openswan 2.2.x
> as VPN gateway behind to an Zyxel 652R-11 ADSL router, but I don't know
> how to setup Openswan to make it work. What ipsec.conf I've to write?
> I guess that I've to use some NAT-T config. My configuration is the follow
> :
>
> Head Quarter:
> FC2+OW22 (192.168.0.253) <--> Z652R11( LAN:192.168.0.254,
> WAN:1StaticIP)  <--> Internet
>
> Office A:
> Internet <--> Z652R11( WAN:1StaticIP, LAN:192.168.1.254) <--->
> 192.168.1.0/24
>
> Office B:
> Internet <--> Z652R11( WAN:1StaticIP, LAN:192.168.2.254) <--->
> 192.168.2.0/24
>
> and so on ;-)!
>
> The Zyxel have the default NAT setup as 192.168.0.253, on HQ side, so every
> packet should be
> redirected on FC2 box, I hope ;-)!
>
> Thanks in advance.
>
> Roberto Fichera.
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list