[Openswan Users] connection could not be established, client
loop the request, both are NATed!]
foren.titze at gmx.net
Tue Jul 12 09:49:20 CEST 2005
Am Montag, 11. Juli 2005 18:31 schrieb Jacco de Leeuw:
> foren titze wrote
> >>You could post your ipsec.conf. Are you using:
> >>leftnexthop=<internal_IP_of_your_NAT_Firewall> ?
> > It was set: leftnexthop=%defaultroute
> > and this is 10.0.0.1 the internal IP of the nating Router.
> > config setup
> > interfaces=%defaultroute
> > klipsdebug=none
> > plutodebug=none
> > forwardcontrol=on
> > nat_traversal=yes
> > ##############
> > uniqueids=yes
> > virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> You seem to be using Nate Carlson's configuration files but they need some
> corrections. First, you should exclude your internal subnet if you want
> roadwarriors to use NAT-T. I don't know what your internal subnet is
> but let's assume that it is 10.0.0.0/24. Then add this:
Yes I have added %v4:!192.168.121.0/24
I have red this before in another thread.
> > conn test
> > authby=rsasig
> > right=%any
> > leftnexthop=%defaultroute
> > rightnexthop=192.168.121.1
> rightnexthop? What if you comment this line?
I would try this.
> > rightid=""
> I don't know what you are trying to achieve with left/rightid="".
I have left it clear to beware our secrets. Normaly there is filled with the
right stuff: the subject of this certificate.
> > rightprotoport=17/1701
> > leftprotoport=17/1701 ##for updated winxp 1701
> > #rightcert=certs/titze_cert.pem
> Uncomment this line or use:
What line? Do you mean #rightcert=, anytime I heard, that rightcert must not
be given in ipsec.conf, because the roadwarrior sends his certificate.
Whatever, the config was working without server is nated.
> > leftupdown=/etc/ipsec.d/_updown.x509
> > pfs=no
> > auto=add
> If the client is NATed you should also add:
Can I use this if the client is not nated?
So I would try to make all conn equal, whatever the client is. Sometimes the
same client is nated and sometimes not.
> > Sorry. but I was wrong. At my testing, only the server was nated. The
> > peer was not nated.
> The Openswan log says that both are NATed. But that is incorrect?
The Logfile is not right in that way.
The Client wasn't nated, I think he came with an external IP; from Vodafone
More information about the Users