[Openswan Users] winxp behind on server behind nat patch

Bernd Galonska B.Galonska at fhr.de
Thu Mar 3 08:56:40 CET 2005 

Jacco de Leeuw wrote

>I could not get this to work either. I forwarded UDP 500/4500 from the
>NAT router to the Openswan server and the connection was not accepted.
>I added a leftnexthop= line with the public IP address of the NAT router.
>I also had to add a leftsubnet= line with the private IP address of the
>client. Then the IPsec connection was accepted but L2TP packets were sent
>unencrypted, and not through the tunnel. I did not investigate this
further.


>Let's assume the Windows client is not behind NAT (to reduce complexity):

>Windows     1.1.1.1
>               ||
>               ||      Internet
>NAT router  2.2.2.2
>           192.168.1.10
>                |
>                |        LAN
>Openswan   192.168.1.3


I have testet this  cenario

1 roadworier winxp and win2k wiht a dynamik pulic IP Adress x.x.x.x
NAt roter wiht a dynamik pulic IP Adress y.y.y.y
Openswan with 192.168.1.3 and it works


            x.x.x.x
               ||
		   ||
>NAT router  y.y.y.y
		 192.168.1.1
               |
		   |
>Openswan   192.168.1.3


my ipsec.conf file

schnipp---------------------------------------------------------------------

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug="control parsing"
        #plutodebug=all
        # Certificate Revocation List handling
        #crlcheckinterval=600
        #strictcrlpolicy=yes
        # Change rp_filter setting, default = 0 (switch off)
        #rp_filter=%unchanged
        # Switch on NAT-Traversal (if patch is installed)
        interfaces=%defaultroute
        nat_traversal=yes
	  uniqueids=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


# default settings for connections
conn %default
	  left=%defaultroute
        # Default: %forever (try forever)
        keyingtries=1
        # Sig keys (default: %dnsondemand)
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        # Lifetimes, defaults are 1h/8hrs
        #ikelifetime=20m
        #keylife=1h
        #rekeymargin=8m
        authby=rsasig
        compress=yes
	  disablearrivalcheck=no

# Add connections here

conn l2tp-winnew
        type=transport
        left=%defaultroute
        leftcert=example.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add

conn l2tp-winold
        type=transport
        left=%defaultroute
        leftcert=example.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

schnapp---------------------------------------

make sure that in windows the conection is set corect

*hostname =	y.y.y.y (public IP of the nat-gateway
*network typ of VPN server = Layer2-Tunneling-Protocoll (L2TP)


I have made sam corections on the patch vor openswan-2.3.1dr3 i have postet
in a seperat message

More information about the Users mailing list