[Openswan Users] IPSec behind NAT problems

[Martin Goldstone]

Hi all,

I'm having some irritating problems right now, so hopefully someone on here 
will be able to help.

I'll start off by saying that I've successfully implementes IPSec tunnels 
between two boxes with public IPs, and also roadwarrior configurations 
through NAT (on the client side).  I now need to sort of meld these two 
together. Here's a lovely diagram to describe it:

I'm using IPCop boxes to do the VPN between.


Lan A --- IPCop Box A --- NAT Device/Router --- Internet --- IPCop Box B --- 
Lan B

Lan A has IPs in 192.168.0.0/24, IPCop Box Red interface is 10.64.177.1/28, 
Private Interface of NAT Device is 10.64.177.2/28, Public is x.x.x.x.  On 
the B side, IPCop Box B red interface is y.y.y.y, Lan has IPs 172.16.0.0/16.

Currently, I've managed to get a link between IPCop Box A and B which allows 
me to ping from IPCop Box A to any host on Lan B, and vice versa, but I cant 
ping from hosts on Lan B to hosts on Lan A or vice versa.  I believe this is 
right because rightsubnet is set at 10.64.177.1/32, but when I try to set it 
to anything else (such as 192.168.0.0/24),  I simply get an error that no 
connection is authorised for 172.16.0.0/16=y.y.y.y...x.x.x.x=192.168.0.0/24. 
  I have tried setting leftid and rightid to no avail, and am running out of 
ideas.  I'm using certificates not preshared keys so there should be no 
problems there.

FYI - I'm running IPCop 1.4.8, which uses kernel 2.4. and Openswan 1.0.10rc2

Has anyone got any ideas at all?  If anyone has a demonstration config file 
that works for this sort of scenario, I'd appreciate seeing it.

Just one last thing, on IPCop Box B, I tried to set a route to Lan A through 
the IPSec0 interface, using the same gateway as what is listed for the route 
to 10.64.177.1, and unfortunately every attempt at pinging from Lan B to Lan 
A results in a TTL expiry.


Thanks

Martin