[Openswan Users] Re: the problem of ipsec and NAT-T
Paul Wouters
paul at xelerance.com
Thu Nov 18 12:36:58 CET 2004
On Thu, 18 Nov 2004, Richard Cai wrote:
> Now I have a question about it. I can't let it work right.I think the trouble maybe in the openswan's configuration file. one side is openswan linux server, and it is behind a cisco NAT router.it has a private ip address 10.1.1.20 , the gateway is 10.1.1.21, which is the NAT router's someone interface's ip address. and in the NAT router, I do a static NAT , 202.102.2.3--->10.1.1.20. The NAT router's public ip address is 202.102.2.1, the gateway is 202.102.2.2. The vpn other side is a cisco router,the public ip address is 168.1.20.6 , the inside subnet is 192.168.1.0/24. In my network environment the PSK is must. I can't install a vpn tunnel, please give me some help. thanks.
> authby=secret
Using PSK with natted IP ranges is a bit tricky. Since the IP address for which the secret
should be taken changes. You might want to try using 0.0.0.0 or %any instead of the regular
IP if it gets confused about the secret.
> cisco router's configuration:
>
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key emxtest address 202.102.2.3
> set peer 202.102.2.3
I am not sure if this would work, since the cisco never sees the address 202.102.2.3. I do not
know how to configure cisco's properly for nat-t. Perhaps someone else on the list can shed some
light on this?
Paul
More information about the Users
mailing list