[Openswan Users] L2TP/IPsec with double NAT
Stefano
stefano.pazzaglia at fastwebnet.it
Fri Aug 12 17:27:15 CEST 2005
Thanks Paul, l2tp/ip now seems to work between a natted server and not
natted client. But if I'd like to make a connection between both server and
client natted, client has a subnet of 37.xxx.xxx.0 and server has an
interface on lan 192.168.0.0/24 what I have to put in virtual_private and
rightsubnet?
Thanks
Stefano
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Stefano" <stefano.pazzaglia at fastwebnet.it>
Cc: <users at openswan.org>
Sent: Friday, August 12, 2005 3:30 PM
Subject: Re: [Openswan Users] L2TP/IPsec with double NAT
> On Fri, 12 Aug 2005, Stefano wrote:
>
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.4.0dr9/K2.6.11-gentoo-r11 (netkey)
>> Checking for IPsec support in kernel [OK]
>> Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
>> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>
> That's fine if you use X.509 or PSK
>
>> Checking that pluto is running [OK]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking NAT and MASQUERADEing
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Checking for 'setkey' command for NETKEY IPsec stack support [OK]
>> Opportunistic Encryption Support
>> [DISABLED]
>
> That's fine too.
>
>> RSA private doesn't scare me, but I can't see support for masquerading,
>> so what I'm missing? Do I have to apply some patches? Which one and how
>> (sorry, but I would like to receive an answer somehow clearer that just
>> apply the patch...I don't know how!!!)
>
> It cehcks for conflicting MASQ/NAT rules. It does not find any of those
> rules
> that would break NAT. So that is not a problem. You do not need patches.
> I guess it should also say "[OK]" if it finds no problems. I'll add that.
>
>> Aug 12 14:44:09 Orione pluto[10318]: "I-hate-vpn"[2] xxx.xxx.xxx.82 #1:
>> cannot respond to IPsec SA request because no connection is known for
>> xxx.xxx.xxx.85/32===xxx.xxx.xxx.91:17/1701...xxx.xxx.xxx.82[@laptop10.icdoc.local]:17/1701
>
> Do you have a rightsubnet=vhost:%no,%priv with an appropriate
> virtual_private
> line that includes xxx.xxx.xxx.0/24 ?
>
> Or try it first without NAT?
>
> Paul
>
More information about the Users
mailing list