[Openswan Users] connection could not be established, client
loop the request, both are NATed!]
foren titze
foren.titze at gmx.net
Tue Jul 12 13:04:00 CEST 2005
Am Dienstag, 12. Juli 2005 10:46 schrieb Jacco de Leeuw:
> Foren Titze wrote:
> > > > and this is 10.0.0.1 the internal IP of the nating Router.
> > >
> > > ,%v4:!10.0.0.0/24
> >
> > Yes I have added %v4:!192.168.121.0/24
>
> But 10.0.0.1 is the internal IP address of your NAT router?
> Do you use both 192.168.121.0/24 and 10.0.0.0/24 on your
> internal network? If so, then you need to exclude both in virtual_private.
Oh sh*t. Yes I must negate the subnet 10.0.0.0. I lose sight of this.
>
> > > I don't know what you are trying to achieve with left/rightid="".
> >
> > I have left it clear to beware our secrets. Normaly there is filled with
> > the right stuff: the subject of this certificate.
>
> I see. Good call. But if you'd used something like rightid="blahblah"
> it would have been immediately obvious.
>
> > > > #rightcert=certs/titze_cert.pem
> > >
> > > Uncomment this line or use:
> > >
> > > rightca=%same
OK. either rightcert=... or rightca=%same, right?
> >
> > What line? Do you mean #rightcert=, anytime I heard, that rightcert must
> > not be given in ipsec.conf, because the roadwarrior sends his
> > certificate.
>
> Well yes, but the server can use rightcert to extract the certificate
> details (i.e. rightid) automatically from the file. There are several ways
> of specifying the certificates that are allowed but your current
> configuration is incomplete. That's why I recommended to use rightcert or
> rightca.
>
> > Whatever, the config was working without server is nated.
>
> Whatever... But you could have run into a problem later on when you used
> multiple servers:
> http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#Wrong_certifica
>te
>
> > > rightsubnet=vhost:%no,%priv
> >
> > Can I use this if the client is not nated?
>
> Certainly. The %no makes that possible.
>
> > > The Openswan log says that both are NATed. But that is incorrect?
> >
> > The Logfile is not right in that way.
> > The Client wasn't nated, I think he came with an external IP; from
> > Vodafone UMTS.
>
> I think you should trust the Openswan team and the NAT-T standardisation
> people on this one. Or perhaps you could file a bug report if you are
> confident. Could you try to repeat the experiment with a public IP, e.g. by
> using dial-up, ISDN or GSM CSD?
Whatever, it should work with or without peer is nated.
So I have to try and try so on.
Could it be, that the l2tpd don't overtake the connection from the tunnel?
ben
>
> Jacco
More information about the Users
mailing list