[Openswan Users] Windows XP and OpenSwan

Aaron Smith asmith at nexcerpt.com
Thu Apr 28 11:26:41 CEST 2005 

	Ok.  Couple of questions.    I *think* this is a nat traversal issue. 
If I have an Openswan Gateway machine that has a public IP and then I
have a Windows XP client behind a linux server doing NAT, does the
openswan Gateway need to support nat-t?  I can successfully create an
IPSec tunnel between the openswan gateway and the remote linux box
(though there is a minor issue with that which I think I'll send
seperately to the list) but when I establish an IPSec connection to the
same Gateway directly from a Windows XP machine behind the linux box,
the tunnel comes up, but pings to the local subnet time out and although
I see ESP packets arrive at the Gateway, there is no traffic on ipsec0. 
I'm trying to get this to work as a test case because I have a user with
a Windows XP box behind a D-Link router doing NAT that I'd like to get
connected.
	For the configuration, I followed Nate Carlson's HOWTO.  the ipsec.conf
on the Gateway looks like this:

config setup
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
                                                                                                                      conn roadwarrior-net
        leftsubnet=192.168.50.0/24
        also=roadwarrior
                                                                                                                      conn roadwarrior
        left=%defaultroute
        leftcert=server_cert.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes
                                                                                                                      Which is pretty much cut and pasted from Nate's page.  On the Windows machine, the ipsec.conf looks like:

conn asmith-XP
	left=%any
	right=<Gateway Public IP Scrubbed>
	rightca="<Subject from CA Cert>"
	network=auto
	auto=start
	pfs=yes
conn asmith-XP-net
	left=%any
	right=<Gateway Public IP Scrubbed>
	rightsubnet=192.168.50.0/24
	rightca="<Subject from CA Cert>"
	network=auto
	auto=start
	pfs=yes

-- 
-----------------------------------------------------------------
Aaron Smith             		vox: 269.226.9550 ext.26
http://www.nexcerpt.com       		fax: 269.349.9076	
	
	...Nexcerpt... Extend Your Expertise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20050428/f44b0a62/attachment.bin

More information about the Users mailing list