[Openswan Users] Good old Nat

Fred Strauss stridervc at gmail.com
Mon Aug 15 17:31:02 CEST 2005


On 8/15/05, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 15 Aug 2005, Fred Strauss wrote:
> 
> > I have an RHEL 4 box running openswan and acting as a vpn server for a
> > roadwarrior, also running openswan.
> > I'm using X.509 certificates, and everything works fine when the
> > roadwarrior dials up directly and then connects the VPN.
> >
> > However, when I try to get the exact same setup working with the
> > roadwarrior behind a router I get an error like this (sensitive bits
> > x'ed out):
> > Aug 15 16:02:29 xxx pluto[xxxx]: "obs-roadwarrior"[2]
> > xxx.xxx.xxx.xxx:4500 #1: cannot respond to IPsec SA request because no
> > connection is known for 192.168.2.0/24===xxx.xxx.xxx.xxx:4500[C=ZA,
> > ST=Gauteng, L=Johannesburg, O=xxx, CN=xxx,
> > E=xxx at xxx.xx.xx]...xxx.xxx.xxx.xxx:4500[C=ZA, ST=Gauteng,
> > L=Johannesburg, O=xxx, CN=xxx, E=xxx at xxx.xx.xx]===192.168.0.14/32
> >
> > I make the necesary config changes, nat_traversal is enabled on both
> > sides. Both sides are running openswan 2.3.0 and both sides have
> > kernel 2.6.x
> 
> Does openswan say it activated NAT-Traversal at startup? If so, what are
> your virtual_private= settings and your conn setting?

Hi

Yes, I get "including NAT-Traversal patch (Version 0.6c)" on both the
server and the roadwarrior at startup. When I try to connect the
server logs that the peer is natted, and the roadwarrior logs "I'm
natted".

I don't know what virtual_private is, is that a setting I'm missing?
Here is the conn section on the server side:
conn xxx-roadwarrior
        left=xxx.xxx.xxx.xxx
        leftsubnet=192.168.2.0/24
        leftrsasigkey=%cert
        leftcert=xxx.pem
        right=%any
        rightrsasigkey=%cert
        auto=add
        pfs=yes

and here's the one on the roadwarrior side:
conn xxx
    left=%defaultroute
    leftrsasigkey=%cert
    leftcert=yyy.pem
    right=xxx #(a fqdn)
    rightsubnet=192.168.2.0/24
    rightrsasigkey=%cert
    rightcert=xxx.pem
    auto=add
    pfs=yes

Thanks for your help, I really appreciate it.

Kind regards
Fred

-- 
Fred Strauss
Obsidian Systems (Pty) Ltd.
http://www.obsidian.co.za - we know xuniL
http://www.strider.co.za/gpg.pub


More information about the Users mailing list