[Openswan Users] problem with nat
Paul Wouters
paul at xelerance.com
Mon Aug 1 23:10:48 CEST 2005
On Sat, 30 Jul 2005, Rob Mokkink wrote:
> nat_traversal=yes
> virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16
That should be:
> virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24
> conn roadwarrior-net
>
> leftsubnet=192.168.0.0/24
> also=roadwarrior
>
> conn roadwarrior-all
>
> leftsubnet=0.0.0.0/0
> also=roadwarrior
>
> conn roadwarrior
>
> left=%defaultroute
> leftcert=dsfw.redhatfw.org.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> auto=add
> pfs=yes
>
> conn roadwarrior-l2tp
> type=transport
> left=%defaultroute
> leftcert=dsfw.redhatfw.org.pem
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> pfs=no
> auto=add
This right=%any will probably clash with the one in the other roadwarriors.
> conn roadwarrior-l2tp-oldwin
> left=%defaultroute
> leftcert=dsfw.redhatfw.org.pem
> leftprotoport=17/0
> right=%any
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> pfs=no
> auto=add
you can merge these last two togehter if you use leftprotoport=17/%any
(same for rightprotoport)
> I the external ipadress of the router is 192.168.0.52
That is not the "external" address of the router. If your router has
192.168.0.52 as its external address you reach it on, it cannot have
a leftsubnet=192.168.0.0/24 associated with it, because you'd need
itself to reach itself.
> cannot respond to IPsec SA request because no connection is known for
> 192.168.0.52/32===10.0.0.1:4500
You probably also saw a line rejecting your virtual_private= line in the
logs somewhere.
Paul
More information about the Users
mailing list