[Openswan Users] L2TP/IPsec with double NAT

Stefano stefano.pazzaglia at fastwebnet.it
Fri Aug 12 17:27:15 CEST 2005 

Thanks Paul,  l2tp/ip now seems to work between  a natted server and not 
natted client. But if I'd like to make a connection between both server and 
client natted, client has a subnet of 37.xxx.xxx.0 and server has an 
interface on lan 192.168.0.0/24 what I have to put in virtual_private and 
rightsubnet?
Thanks
Stefano



----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Friday, August 12, 2005 3:30 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT


> On Fri, 12 Aug 2005, Stefano wrote:
>
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                                 [OK]
>> Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
>> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>
> That's fine if you use X.509 or PSK
>
>> Checking that pluto is running                                  [OK]
>> Two or more interfaces found, checking IP forwarding            [OK]
>> Checking NAT and MASQUERADEing
>> Checking for 'ip' command                                       [OK]
>> Checking for 'iptables' command                                 [OK]
>> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
>> Opportunistic Encryption Support 
>> [DISABLED]
>
> That's fine too.
>
>> RSA private doesn't scare me, but I can't see support for masquerading, 
>> so what I'm missing? Do I have to apply some patches? Which one and how 
>> (sorry, but I would like to receive an answer somehow clearer that just 
>> apply the patch...I don't know how!!!)
>
> It cehcks for conflicting MASQ/NAT rules. It does not find any of those 
> rules
> that would break NAT. So that is not a problem. You do not need patches.
> I guess it should also say "[OK]" if it finds no problems. I'll add that.
>
>> Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1: 
>> cannot respond to IPsec SA request because no connection is known for 
>> xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701
>
> Do you have a rightsubnet=vhost:%no,%priv with an appropriate 
> virtual_private
> line that includes xxx.xxx.xxx.0/24 ?
>
> Or try it first without NAT?
>
> Paul
>

More information about the Users mailing list