[Openswan Users] openswan behind nat firewall

Jacco de Leeuw jacco2 at dds.nl
Sat Jan 29 18:25:54 CET 2005


Dino Dragovic wrote:

> I am trying to setup Openswan as a vpn server (and l2tp) behind firewall 
> which is doing nat.

I have not yet managed to get this working myself. With some tweaking
I got the IPsec connection up but L2TP reply packets were not tunnelled
through it.

> conn road
>         authby=rsasig
>         left=192.168.0.2
>         leftsubnet=161.53.203.233/32
>         leftnexthop=161.53.203.233

Shouldn't leftnexthop be the IP address of your router?

>         leftcert=/etc/ipsec.d/certs/asgard.crt
>         leftid="/C=xx/ST=xxxxx/L=xxxxx/O=xxxx/OU=xxxx..."

Does the ID match the one in the cert?

> Firewall is dnat-ing udp 500,4500 and 1701 to 192.168.0.2.

L2TP (UDP 1701) should not be DNAT-ed. It is tunnelled in IPsec.

> cannot respond to IPsec SA request because no connection
>  is known for 161.53.203.233/32===192.168.0.2:4500[C=hr, ST=Croatia, 
> L=Osijek, O=Demo, OU=xxxx, CN=xxxx, 
> E=xxxxx]:17/1701...193.198.72.3:4500[C=hr, ST=Croatia, L=Osijek, O=Demo, 
> OU=yyy, CN=yyy, E=yyyy]: 17/1701

Perhaps some more tweaking of the ipsec.conf is required. But even then,
the L2TP part might not work.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list