[Openswan Users] Rhel 3 with natt patch?
Nicole Hähnel
nicole.haehnel at epost.de
Wed Sep 15 14:18:52 CEST 2004
Hi,
I'll seperate the networks to different connections.
But I don't understand why I need virtual_private.
I have one network on the right side "rightsubnet=...".
What's the different between rightsubnet, rightsubnetwithin and
virtual_private?
And what is with the little network between server and dsl-router?
Do I have to specify this network with virtual_private too?
>
>
> I dont think this is a direct connect? since left is a public ip.
>
The public ip on the primary gateway is static.
I can't change it!
Why don't you think it's a direct connection?
Thanks!
NIcole
Paul Wouters wrote:
> On Tue, 14 Sep 2004, Nicole Hähnel wrote:
>
>> Now I get this line and no errors:
>>
>> Checking NAT and MASQUERADEing [N/A]
>
>
> Good.
>
>> config setup
>> interfaces="ipsec0=eth1"
>> klipsdebug=none
>> plutodebug=none
>> uniqueids=no
>> nat_traversal=yes
>
>
> You are still missing a virtual_private= line
>
>> conn lan1-lan2
>> leftrsasigkey=%cert
>> leftcert=vpn_cert1.pem
>> leftid="/C=XX...."
>> leftsubnet=172.10.0.0/16
>> right=%any
>> rightid="/C=XX..."
>> rightsubnet=172.10.10.0/24
>> rightrsasigkey=%cert
>> #
>> auto=add
>
>
> Your networks also overlap, this might cause problems.
>
>>
>> conn %default
>> authby=rsasig
>> left="public ip"
>> leftnexthop=xx.xx.xx.xx
>> leftrsasigkey=%cert
>> leftid="/C=XX..."
>> #
>> right=192.168.254.2
>> rightid="/C=XX..."
>> rightcert=vpn_cert2.pem
>>
>> conn lan1-lan2
>> rightrsasigkey=%cert
>> rightnexthop=%direct
>
>
> I dont think this is a direct connect? since left is a public ip.
>
>> leftsubnet=172.10.0.0/16
>> rightsubnet=172.10.10.0/24
>> rightupdown=/etc/ipsec.d/updown
>
>
> I don't nkow what this does, but I dont think it should be needed.
>
>> Is virtual_private needed or necessary?
>
>
> Yes. Either that or specify subnetwithin's. I always use
> virtual_private myself.
>
> Paul
More information about the Users
mailing list