[Openswan Users] L2TP/IPsec with double NAT
Paul Wouters
paul at xelerance.com
Fri Aug 12 16:30:29 CEST 2005
On Fri, 12 Aug 2005, Stefano wrote:
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
> Checking for IPsec support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
That's fine if you use X.509 or PSK
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support [OK]
> Opportunistic Encryption Support [DISABLED]
That's fine too.
> RSA private doesn't scare me, but I can't see support for masquerading, so
> what I'm missing? Do I have to apply some patches? Which one and how (sorry,
> but I would like to receive an answer somehow clearer that just apply the
> patch...I don't know how!!!)
It cehcks for conflicting MASQ/NAT rules. It does not find any of those rules
that would break NAT. So that is not a problem. You do not need patches.
I guess it should also say "[OK]" if it finds no problems. I'll add that.
> Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1:
> cannot respond to IPsec SA request because no connection is known for
> xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701
Do you have a rightsubnet=vhost:%no,%priv with an appropriate virtual_private
line that includes xxx.xxx.xxx.0/24 ?
Or try it first without NAT?
Paul
More information about the Users
mailing list