[Openswan Users] connection could not be established, client loop the request, both are NATed!]

Jacco de Leeuw jacco2 at dds.nl
Tue Jul 12 11:46:26 CEST 2005


Foren Titze wrote:

> > > and this is 10.0.0.1 the internal IP of the nating Router.
> >             ,%v4:!10.0.0.0/24
> Yes I have added %v4:!192.168.121.0/24

But 10.0.0.1 is the internal IP address of your NAT router?
Do you use both 192.168.121.0/24 and 10.0.0.0/24 on your
internal network? If so, then you need to exclude both in virtual_private.

> > I don't know what you are trying to achieve with left/rightid="".
> I have left it clear to beware our secrets. Normaly there is filled with the
> right stuff: the subject of this certificate.

I see. Good call. But if you'd used something like rightid="blahblah"
it would have been immediately obvious.

> > >      #rightcert=certs/titze_cert.pem
> >
> > Uncomment this line or use:
> >
> >         rightca=%same
> What line? Do you mean #rightcert=, anytime I heard, that rightcert must not
> be given in ipsec.conf, because the roadwarrior sends his certificate.

Well yes, but the server can use rightcert to extract the certificate details
(i.e. rightid) automatically from the file. There are several ways of specifying
the certificates that are allowed but your current configuration is incomplete.
That's why I recommended to use rightcert or rightca.

> Whatever, the config was working without server is nated.

Whatever... But you could have run into a problem later on when you used
multiple servers:
http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#Wrong_certificate

> >            rightsubnet=vhost:%no,%priv
> Can I use this if the client is not nated?

Certainly. The %no makes that possible.

> > The Openswan log says that both are NATed. But that is incorrect?
> >
> The Logfile is not right in that way.
> The Client wasn't nated, I think he came with an external IP; from Vodafone
> UMTS.

I think you should trust the Openswan team and the NAT-T standardisation people
on this one. Or perhaps you could file a bug report if you are confident.
Could you try to repeat the experiment with a public IP, e.g. by using dial-up,
ISDN or GSM CSD?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl



More information about the Users mailing list