[Openswan Users] NAT-T and ipsec.conf

Paul Wouters paul at xelerance.com
Wed Sep 1 11:10:18 CEST 2004


On Wed, 1 Sep 2004, Dave Harrison wrote:

[ NAT-T lab setup ]

> My ipsec.conf looks like this :
>
> config setip
>    interfaces="ipsec0=eth1"
>    ... (default stuff)
>    nat_traversal=yes

You either need a virtual_private= line here, or you need to
have a *subnetwithin= statement.

> conn example
>    authby=secret
>    left=10.0.0.2
>    compress=no
>    leftsubnet=10.0.3.0/24
>    leftnexthop=10.0.0.2
>    right=10.0.0.3
>    rightsubnet=10.0.1.0/24
>    rightnexthop=%direct
>    auto=start

You cannot really test out NAT-T with a %direct connection. You actually
*have* to NAT the packets, and you cannot do that on the gateways itself.

Paul



More information about the Users mailing list