FW: [Openswan Users] problem with nat

Rob Mokkink rob at mokkinksystems.com
Tue Aug 2 00:15:38 CEST 2005


Paul,

I think i get it.

The amount of connection can be downgraded.

Something like:

nat_traversal=yes
virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24

conn roadwarrior-net

        leftsubnet=10.0.0.0/8
        also=roadwarrior


conn roadwarrior-all
       leftsubnet=0.0.0.0/0
       also=roadwarrior

conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=dsfw.redhatfw.org.pem
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        pfs=no
        auto=add


is all that is necessary to get it working.

Regards,

Rob

-----Oorspronkelijk bericht-----
Van: Paul Wouters [mailto:paul at xelerance.com] 
Verzonden: maandag 1 augustus 2005 22:11
Aan: Rob Mokkink
CC: users at openswan.org
Onderwerp: Re: [Openswan Users] problem with nat

On Sat, 30 Jul 2005, Rob Mokkink wrote:

>        nat_traversal=yes
>        virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16

That should be:
>
virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24

> conn roadwarrior-net
>
>        leftsubnet=192.168.0.0/24
>        also=roadwarrior
>
> conn roadwarrior-all
>
>        leftsubnet=0.0.0.0/0
>        also=roadwarrior
>
> conn roadwarrior
>
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        auto=add
>        pfs=yes
>
> conn roadwarrior-l2tp
>        type=transport
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/1701
>        right=%any
>        rightprotoport=17/1701
>        pfs=no
>        auto=add

This right=%any will probably clash with the one in the other roadwarriors.

> conn roadwarrior-l2tp-oldwin
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/0
>        right=%any
>        rightprotoport=17/1701
>        rightsubnet=vhost:%no,%priv
>        pfs=no
>        auto=add

you can merge these last two togehter if you use leftprotoport=17/%any
(same for rightprotoport)

> I the external ipadress of the router is 192.168.0.52

That is not the "external" address of the router. If your router has
192.168.0.52 as its external address you reach it on, it cannot have
a leftsubnet=192.168.0.0/24 associated with it, because you'd need
itself to reach itself.

> cannot respond to IPsec SA request because no connection is known for
> 192.168.0.52/32===10.0.0.1:4500

You probably also saw a line rejecting your virtual_private= line in the
logs somewhere.

Paul



More information about the Users mailing list