[Openswan Users] NAT-T and ipsec.conf
Paul Wouters
paul at xelerance.com
Wed Sep 1 11:10:18 CEST 2004
On Wed, 1 Sep 2004, Dave Harrison wrote:
[ NAT-T lab setup ]
> My ipsec.conf looks like this :
>
> config setip
> interfaces="ipsec0=eth1"
> ... (default stuff)
> nat_traversal=yes
You either need a virtual_private= line here, or you need to
have a *subnetwithin= statement.
> conn example
> authby=secret
> left=10.0.0.2
> compress=no
> leftsubnet=10.0.3.0/24
> leftnexthop=10.0.0.2
> right=10.0.0.3
> rightsubnet=10.0.1.0/24
> rightnexthop=%direct
> auto=start
You cannot really test out NAT-T with a %direct connection. You actually
*have* to NAT the packets, and you cannot do that on the gateways itself.
Paul
More information about the Users
mailing list