[Openswan Users] L2TP/IPsec with double NAT

Paul Wouters paul at xelerance.com
Fri Aug 12 16:30:29 CEST 2005


On Fri, 12 Aug 2005, Stefano wrote:

> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"

That's fine if you use X.509 or PSK

> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support                                [DISABLED]

That's fine too.

> RSA private doesn't scare me, but I can't see support for masquerading, so 
> what I'm missing? Do I have to apply some patches? Which one and how (sorry, 
> but I would like to receive an answer somehow clearer that just apply the 
> patch...I don't know how!!!)

It cehcks for conflicting MASQ/NAT rules. It does not find any of those rules
that would break NAT. So that is not a problem. You do not need patches.
I guess it should also say "[OK]" if it finds no problems. I'll add that.

> Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1: 
> cannot respond to IPsec SA request because no connection is known for 
> xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701

Do you have a rightsubnet=vhost:%no,%priv with an appropriate virtual_private
line that includes xxx.xxx.xxx.0/24 ?

Or try it first without NAT?

Paul



More information about the Users mailing list