[Openswan Users] NAT-T and ipsec.conf
Dave Harrison
David.Harrison at sensorynetworks.com
Wed Sep 1 16:55:17 CEST 2004
Hi all,
I'm trying out NAT-T and I'm finding the following problem.
I have a NAT firewall in between by VPN gateway [1] and another VPN endpoint
box [2] (specifically and IPCop 1.3.0 box - it is such a box for ease of
configuration at the remote end by the remote people).
+-----+ +-----------+ +----+
| 1 | <---- | Firewall | -----> | 2 |
+-----+ +-----------+ +----+
I have ports 500 and 4500 forwarded from the firewall to machine 1 (my
vpn gateway).
Now what I'm finding is that I can see ISAKMP traffic flowing from 1 to
2, and from 2 to 1, as they attempt to join up. However they just sit
there and try and try and time out. I think it is because machine 2 is
seeing the traffic return from the firewall's ip instead of 1's ip
address.
I've read the docs and the man page for ipsec.conf, but haven't found
anything that tells me if I have to add another configuration line to my
ipsec.conf file for this situation.
My ipsec.conf looks like this :
config setip
interfaces="ipsec0=eth1"
... (default stuff)
nat_traversal=yes
conn example
authby=secret
left=10.0.0.2
compress=no
leftsubnet=10.0.3.0/24
leftnexthop=10.0.0.2
right=10.0.0.3
rightsubnet=10.0.1.0/24
rightnexthop=%direct
auto=start
As you can probably tell from this I've set myself up a little lab of
machines and a couple of switches to try nat-t out before I decide
whether I want to use it or not ;-)
so can anyone help ?
cheers
Dave
--
Dave Harrison, Systems Administrator, Sensory Networks
email: David.Harrison at sensorynetworks.com
phone: [W] +61-2-8302-2700
fingerprint: E29F 2D6A FA27 5B0B B429 F8D3 5318 22D6 E775 2241
More information about the Users
mailing list