[Openswan Users] connection could not be established, client loop the request, both are NATed!]

foren titze foren.titze at gmx.net
Tue Jul 12 09:49:20 CEST 2005


Am Montag, 11. Juli 2005 18:31 schrieb Jacco de Leeuw:
> foren titze wrote
>
> >>You could post your ipsec.conf. Are you using:
> >>leftnexthop=<internal_IP_of_your_NAT_Firewall> ?
> >
> > It was set: leftnexthop=%defaultroute
> > and this is 10.0.0.1 the internal IP of the nating Router.
> >
> > config setup
> >      interfaces=%defaultroute
> >      klipsdebug=none
> >      plutodebug=none
> >      forwardcontrol=on
> >      nat_traversal=yes
> >      ##############
> >      uniqueids=yes
> >      virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> You seem to be using Nate Carlson's configuration files but they need some
> corrections. First, you should exclude your internal subnet if you want
> roadwarriors to use NAT-T. I don't know what your internal subnet is
> but let's assume that it is 10.0.0.0/24. Then add this:
>
>             ,%v4:!10.0.0.0/24
Yes I have added %v4:!192.168.121.0/24 
I have red this before in another thread.
>
> > conn test
> >      authby=rsasig
> >      right=%any
> >      leftnexthop=%defaultroute
> >      rightnexthop=192.168.121.1
>
> rightnexthop? What if you comment this line?
I would try this.
>
> >      rightid=""
>
> I don't know what you are trying to achieve with left/rightid="".
I have left it clear to beware our secrets. Normaly there is filled with the 
right stuff: the subject of this certificate.
>
> >      rightprotoport=17/1701
> >      leftprotoport=17/1701      ##for updated winxp 1701
> >      #rightcert=certs/titze_cert.pem
>
> Uncomment this line or use:
>
>         rightca=%same
What line? Do you mean #rightcert=, anytime I heard, that rightcert must not 
be given in ipsec.conf, because the roadwarrior sends his certificate. 
Whatever, the config was working without server is nated.
>
> >      leftupdown=/etc/ipsec.d/_updown.x509
> >      pfs=no
> >      auto=add
>
> If the client is NATed you should also add:
>
>            rightsubnet=vhost:%no,%priv
Can I use this if the client is not nated?
So I would try to make all conn equal, whatever the client is. Sometimes the 
same client is nated and sometimes not.
>
> > Sorry. but I was wrong. At my testing, only the server was nated. The
> > peer was not nated.
>
> The Openswan log says that both are NATed. But that is incorrect?
>
The Logfile is not right in that way.
The Client wasn't nated, I think he came with an external IP; from Vodafone 
UMTS.

Thx Ben
> Jacco


More information about the Users mailing list