[Openswan Users] openswan behind nat firewall

Jacco de Leeuw jacco2 at dds.nl
Sat Jan 29 18:25:54 CET 2005

Dino Dragovic wrote:

> I am trying to setup Openswan as a vpn server (and l2tp) behind firewall 
> which is doing nat.

I have not yet managed to get this working myself. With some tweaking
I got the IPsec connection up but L2TP reply packets were not tunnelled
through it.

> conn road
>         authby=rsasig
>         left=
>         leftsubnet=
>         leftnexthop=

Shouldn't leftnexthop be the IP address of your router?

>         leftcert=/etc/ipsec.d/certs/asgard.crt
>         leftid="/C=xx/ST=xxxxx/L=xxxxx/O=xxxx/OU=xxxx..."

Does the ID match the one in the cert?

> Firewall is dnat-ing udp 500,4500 and 1701 to

L2TP (UDP 1701) should not be DNAT-ed. It is tunnelled in IPsec.

> cannot respond to IPsec SA request because no connection
>  is known for[C=hr, ST=Croatia, 
> L=Osijek, O=Demo, OU=xxxx, CN=xxxx, 
> E=xxxxx]:17/1701...[C=hr, ST=Croatia, L=Osijek, O=Demo, 
> OU=yyy, CN=yyy, E=yyyy]: 17/1701

Perhaps some more tweaking of the ipsec.conf is required. But even then,
the L2TP part might not work.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list