[Openswan Users] connection could not be established, client
loop the request, both are NATed!]
Jacco de Leeuw
jacco2 at dds.nl
Mon Jul 11 19:31:43 CEST 2005
foren titze wrote
>>You could post your ipsec.conf. Are you using:
>>leftnexthop=<internal_IP_of_your_NAT_Firewall> ?
>
> It was set: leftnexthop=%defaultroute
> and this is 10.0.0.1 the internal IP of the nating Router.
>
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> forwardcontrol=on
> nat_traversal=yes
> ##############
> uniqueids=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
You seem to be using Nate Carlson's configuration files but they need some
corrections. First, you should exclude your internal subnet if you want
roadwarriors to use NAT-T. I don't know what your internal subnet is
but let's assume that it is 10.0.0.0/24. Then add this:
,%v4:!10.0.0.0/24
> conn test
> authby=rsasig
> right=%any
> leftnexthop=%defaultroute
> rightnexthop=192.168.121.1
rightnexthop? What if you comment this line?
> rightid=""
I don't know what you are trying to achieve with left/rightid="".
> rightprotoport=17/1701
> leftprotoport=17/1701 ##for updated winxp 1701
> #rightcert=certs/titze_cert.pem
Uncomment this line or use:
rightca=%same
> leftupdown=/etc/ipsec.d/_updown.x509
> pfs=no
> auto=add
If the client is NATed you should also add:
rightsubnet=vhost:%no,%priv
> Sorry. but I was wrong. At my testing, only the server was nated. The peer was
> not nated.
The Openswan log says that both are NATed. But that is incorrect?
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list