[Openswan Users] winxp behind on server behind nat patch
Jacco de Leeuw
jacco2 at dds.nl
Fri Feb 25 11:17:02 CET 2005
Bernd Galonska wrote:
> To connect win2k winxp with l2tp over ipsec to openswan/strongswan a server
> behind Nat is impossible.
I could not get this to work either. I forwarded UDP 500/4500 from the
NAT router to the Openswan server and the connection was not accepted.
I added a leftnexthop= line with the public IP address of the NAT router.
I also had to add a leftsubnet= line with the private IP address of the
client. Then the IPsec connection was accepted but L2TP packets were sent
unencrypted, and not through the tunnel. I did not investigate this further.
> winXp ===> nat-router ------- nat-router ===>
> openswan/strongswan
> 192.168.203.137 192.168.1.2 192.168.1.10
> 192.168.1.3
> private address public address public address
> private address
My setup was similar except for the 192.168.1.3. Is 192.168.1.3 within
the same subnet as 192.168.1.2 and 192.168.1.10? How can you expect
this to work?
Let's assume the Windows client is not behind NAT (to reduce complexity):
Windows 1.1.1.1
||
|| Internet
NAT router 2.2.2.2
192.168.1.10
|
| LAN
Openswan 192.168.1.3
Here the NAT router is forwarding UDP 500/4500 on the external
interface 2.2.2.2 to the Openswan server on the internal network
at 192.168.1.3.
Regarding Bernd's patch, I can't vouch for it but I would like
a change for this particular line because it is a bit cryptic:
> + DBG(DBG_CONTROL, DBG_log("using old for transport mod connection
> \"%s\"", p->name));
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list