[Openswan Users] Re: the problem of ipsec and NAT-T
paul at xelerance.com
Thu Nov 18 12:36:58 CET 2004
On Thu, 18 Nov 2004, Richard Cai wrote:
> Now I have a question about it. I can't let it work right.I think the trouble maybe in the openswan's configuration file. one side is openswan linux server, and it is behind a cisco NAT router.it has a private ip address 10.1.1.20 , the gateway is 10.1.1.21, which is the NAT router's someone interface's ip address. and in the NAT router, I do a static NAT , 22.214.171.124--->10.1.1.20. The NAT router's public ip address is 126.96.36.199, the gateway is 188.8.131.52. The vpn other side is a cisco router,the public ip address is 184.108.40.206 , the inside subnet is 192.168.1.0/24. In my network environment the PSK is must. I can't install a vpn tunnel, please give me some help. thanks.
Using PSK with natted IP ranges is a bit tricky. Since the IP address for which the secret
should be taken changes. You might want to try using 0.0.0.0 or %any instead of the regular
IP if it gets confused about the secret.
> cisco router's configuration:
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 28800
> crypto isakmp key emxtest address 220.127.116.11
> set peer 18.104.22.168
I am not sure if this would work, since the cisco never sees the address 22.214.171.124. I do not
know how to configure cisco's properly for nat-t. Perhaps someone else on the list can shed some
light on this?
More information about the Users