[Openswan Users] problem with nat

Rob Mokkink rob at mokkinksystems.com
Sat Jul 30 20:34:44 CEST 2005 

Hi,

 

I have setup a nat router to test my roadwarrior setup. Within the same
subnet I can connect with no problems to the openswan server.

But when the server is behind a simple nat router (linux) I can't connect
and get a strange problem with the external ipaddress.

 

Here is my ipsec.conf:

 

version 2.0

 

config setup

        interfaces=%defaultroute

        nat_traversal=yes

        virtual_private=v4:172.16.0.0/12,v4:192.168.0.0/16

 

conn %default

        keyingtries=1

        compress=yes

        disablearrivalcheck=no

        authby=rsasig

        leftrsasigkey=%cert

        rightrsasigkey=%cert

 

conn roadwarrior-net

        leftsubnet=192.168.0.0/24

        also=roadwarrior

 

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

 

conn roadwarrior

        left=%defaultroute

        leftcert=dsfw.redhatfw.org.pem

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

        pfs=yes

 

conn roadwarrior-l2tp

        type=transport

        left=%defaultroute

        leftcert=dsfw.redhatfw.org.pem

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/1701

        pfs=no

        auto=add

 

conn roadwarrior-l2tp-oldwin

        left=%defaultroute

        leftcert=dsfw.redhatfw.org.pem

        leftprotoport=17/0

        right=%any

        rightprotoport=17/1701

        rightsubnet=vhost:%no,%priv

        pfs=no

        auto=add

 

conn block

        auto=ignore

 

conn private

        auto=ignore

 

conn private-or-clear

        auto=ignore

 

conn clear-or-private

        auto=ignore

 

conn clear

        auto=ignore

 

conn packetdefault

        auto=ignore

 

 

I the external ipadress of the router is 192.168.0.52

 

This is the entry in my secure log:

 

cannot respond to IPsec SA request because no connection is known for
192.168.0.52/32===10.0.0.1:4500

 

I created the following iptable statements to get a one to one nat mapping:

(IF = external interface, IP= external ipadress)

 

iptables -A PREROUTING -t nat -i $IF -d $IP -j DNAT --to-dest 10.0.0.1

 

iptables -A POSTROUTING -t nat -o $IF -s 10.0.0.1 -j SNAT --to-source $IP

 

What need I to do to get it working?

 

Regards,

 

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050730/0b698942/attachment.htm

More information about the Users mailing list