[Openswan Users]
Paul Wouters
paul at xelerance.com
Tue Apr 5 12:17:32 CEST 2005
On Tue, 5 Apr 2005, fran wrote:
You need to enable nat_traversal=yes on both ends and
virtual_private=%v4:172.17.0.0/16 on the end with the 172.17.0.0/16 network
Paul
> in my net, my VPN (server SERVER_A) is in internal network, so the interface ipsec0 is 172.17.0.51 (private ip),
> in my ipsec.conf my Gateway is 172.17.0.51 (left=172.17.0.51), but when tis IP arrives to my Firewall,
> is nated (static nat) to a public IP to go out to internet ( for example to a 80.45.12.28).
> the other part of VPN ( SERVER_B) must have in its ipsec.conf : right=80.45.12.28 because it see arrives the packets
> from the public IP (80.45.12.28), but when IKE negociation a mistake occur because the Gateway that the SERVER_A
> communicate it is 172.17.0.51 and not 80.45.12.28:
>
> Mar 15 09:48:38 fwint Pluto[7678]: "monteftp" #2: max number of retransmissions (2) reached STATE_MAIN_R2
> Mar 15 09:48:39 fwint Pluto[7678]: "monteftp" #4: responding to Main Mode
> Mar 15 09:48:41 fwint Pluto[7678]: "monteftp" #4: no suitable connection for peer '172.17.0.51'
>
> this is the problem: SERVER_B in its ipsec.conf must have right=80.45.12.28 because is the IP that it see arrives and send
> the packets, but in the IKE negociation SERVER_A say to SERVER_B that SERVER_A is 172.17.0.51 and not 80.45.12.28,
> and cause the error: no suitable connection for peer '172.17.0.51'
>
>
> SERVER_A--------------FIREWALL ----------internet-------------- SERVER_B
> 172.17.0.51(nated to:)80.45.12.28
>
> i need a solucion.
>
> thanks.
--
As time passes hardware approaches the effectiveness of a rock and
the reliability of a crack addict.
--- Naubert's law
More information about the Users
mailing list