FW: [Openswan Users] problem with nat

Rob Mokkink rob at mokkinksystems.com
Wed Aug 3 23:27:54 CEST 2005 

All your tips en settings are not working.

I expected more from openswan, this is very very bad.
There are hardly any docs etc how to get it to work behind a gateway.

I really need a solution to my problem.

Thanks in advance.

Regards,

Rob

-----Oorspronkelijk bericht-----
Van: Paul Wouters [mailto:paul at xelerance.com] 
Verzonden: maandag 1 augustus 2005 22:11
Aan: Rob Mokkink
CC: users at openswan.org
Onderwerp: Re: [Openswan Users] problem with nat

On Sat, 30 Jul 2005, Rob Mokkink wrote:

>        nat_traversal=yes
>        virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16

That should be:
>
virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,!%v4:192.168.0.0/24

> conn roadwarrior-net
>
>        leftsubnet=192.168.0.0/24
>        also=roadwarrior
>
> conn roadwarrior-all
>
>        leftsubnet=0.0.0.0/0
>        also=roadwarrior
>
> conn roadwarrior
>
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        auto=add
>        pfs=yes
>
> conn roadwarrior-l2tp
>        type=transport
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/1701
>        right=%any
>        rightprotoport=17/1701
>        pfs=no
>        auto=add

This right=%any will probably clash with the one in the other roadwarriors.

> conn roadwarrior-l2tp-oldwin
>        left=%defaultroute
>        leftcert=dsfw.redhatfw.org.pem
>        leftprotoport=17/0
>        right=%any
>        rightprotoport=17/1701
>        rightsubnet=vhost:%no,%priv
>        pfs=no
>        auto=add

you can merge these last two togehter if you use leftprotoport=17/%any
(same for rightprotoport)

> I the external ipadress of the router is 192.168.0.52

That is not the "external" address of the router. If your router has
192.168.0.52 as its external address you reach it on, it cannot have
a leftsubnet=192.168.0.0/24 associated with it, because you'd need
itself to reach itself.

> cannot respond to IPsec SA request because no connection is known for
> 192.168.0.52/32===10.0.0.1:4500

You probably also saw a line rejecting your virtual_private= line in the
logs somewhere.

Paul

More information about the Users mailing list