[Openswan Users] openswan behind nat firewall
Jacco de Leeuw
jacco2 at dds.nl
Sat Jan 29 18:25:54 CET 2005
Dino Dragovic wrote:
> I am trying to setup Openswan as a vpn server (and l2tp) behind firewall
> which is doing nat.
I have not yet managed to get this working myself. With some tweaking
I got the IPsec connection up but L2TP reply packets were not tunnelled
through it.
> conn road
> authby=rsasig
> left=192.168.0.2
> leftsubnet=161.53.203.233/32
> leftnexthop=161.53.203.233
Shouldn't leftnexthop be the IP address of your router?
> leftcert=/etc/ipsec.d/certs/asgard.crt
> leftid="/C=xx/ST=xxxxx/L=xxxxx/O=xxxx/OU=xxxx..."
Does the ID match the one in the cert?
> Firewall is dnat-ing udp 500,4500 and 1701 to 192.168.0.2.
L2TP (UDP 1701) should not be DNAT-ed. It is tunnelled in IPsec.
> cannot respond to IPsec SA request because no connection
> is known for 161.53.203.233/32===192.168.0.2:4500[C=hr, ST=Croatia,
> L=Osijek, O=Demo, OU=xxxx, CN=xxxx,
> E=xxxxx]:17/1701...193.198.72.3:4500[C=hr, ST=Croatia, L=Osijek, O=Demo,
> OU=yyy, CN=yyy, E=yyyy]: 17/1701
Perhaps some more tweaking of the ipsec.conf is required. But even then,
the L2TP part might not work.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list