[Openswan Users] problem with nat

Paul Wouters paul at xelerance.com
Mon Aug 1 23:10:48 CEST 2005


On Sat, 30 Jul 2005, Rob Mokkink wrote:

>        nat_traversal=yes
>        virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16

That should be:
>        virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24

> conn roadwarrior-net
>
>        leftsubnet=192.168.0.0/24
>        also=roadwarrior
>
> conn roadwarrior-all
>
>        leftsubnet=0.0.0.0/0
>        also=roadwarrior
>
> conn roadwarrior
>
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        auto=add
>        pfs=yes
>
> conn roadwarrior-l2tp
>        type=transport
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/1701
>        right=%any
>        rightprotoport=17/1701
>        pfs=no
>        auto=add

This right=%any will probably clash with the one in the other roadwarriors.

> conn roadwarrior-l2tp-oldwin
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/0
>        right=%any
>        rightprotoport=17/1701
>        rightsubnet=vhost:%no,%priv
>        pfs=no
>        auto=add

you can merge these last two togehter if you use leftprotoport=17/%any
(same for rightprotoport)

> I the external ipadress of the router is 192.168.0.52

That is not the "external" address of the router. If your router has
192.168.0.52 as its external address you reach it on, it cannot have
a leftsubnet=192.168.0.0/24 associated with it, because you'd need
itself to reach itself.

> cannot respond to IPsec SA request because no connection is known for
> 192.168.0.52/32===10.0.0.1:4500

You probably also saw a line rejecting your virtual_private= line in the
logs somewhere.

Paul


More information about the Users mailing list