[Openswan Users] Re: the problem of ipsec and NAT-T

Paul Wouters paul at xelerance.com
Thu Nov 18 12:36:58 CET 2004

On Thu, 18 Nov 2004, Richard Cai wrote:

>   Now I have a question about it. I can't let it work right.I think the trouble maybe in the openswan's configuration file. one side is openswan linux server, and it is behind a cisco NAT router.it has a private ip address , the gateway is, which is the NAT router's someone interface's ip address. and in the NAT router, I do a static NAT ,> The NAT router's public ip address is, the gateway is The vpn other side is a cisco router,the public ip address is , the inside subnet is In my network environment the PSK is must. I can't install a vpn tunnel, please give me some help. thanks.

>       authby=secret

Using PSK with natted IP ranges is a bit tricky. Since the IP address for which the secret
should be taken changes. You might want to try using or %any instead of the regular
IP if it gets confused about the secret.

>  cisco router's configuration:
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key emxtest address

> set peer

I am not sure if this would work, since the cisco never sees the address I do not
know how to configure cisco's properly for nat-t. Perhaps someone else on the list can shed some
light on this?


More information about the Users mailing list