[Openswan Users] nat-t

Martin Goldstone nightofdarkness at hotmail.com
Sat Sep 10 15:25:10 CEST 2005 

Brad,

In my experience, I haven't had a lot of luck using PSK's with NAT-T, if 
thats what you're doing. I've always used certificates in that circumstance, 
and as I remember from some very excellent tutorials on the net (Jacco's at 
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html, Nate Carlson's at 
http://www.natecarlson.com/linux/ipsec-x509.php, and Duncan Reed's 
http://www.elminster.com/xoops/modules/phpwiki/index.php/IpcopL2tpRemoteAccessServer), 
its seems PSK's don't work with NAT-T. Additionally, with NAT-T, I've only 
been able to get host-to-net (Roadwarrior) or host-to-host tunnels working 
(only recently I needed net-to-net through NAT-T, and in order to acheive it 
I had to implement a GRE tunnel accross the ipsec tunnel, with help from 
http://www.eatworms.org.uk/ipcop-gre-howto.php and the ip_gre module from a 
slackware distro (10.1 I think) because IPCop didn't have the module and I 
didn't have the time to setup a development environment to compile the 
module myself)

In terms of getting the same config working with NATed clients and non-NATed 
ones in the past, I have used the lines right=%any and 
rightsubnet=vhost:%no,%priv, which worked quite well.

In general, I also make sure the OE stuff is disabled as well, as I've heard 
it can cause issues with NAT-T. If you're still having problems, perhaps you 
could post the errors you're getting (found at the end of the output from 
the command ipsec barf).

Mart

----Original Message Follows----
From: "Brad Swartz" <bswartz at russellnewman.com>
To: <users at openswan.org>
Subject: [Openswan Users] nat-t
Date: Tue, 06 Sep 2005 13:06:33 -0500
MIME-Version: 1.0
Received: from lists.openswan.org ([193.110.157.129]) by mc1-f30.hotmail.com 
with Microsoft SMTPSVC(6.0.3790.211); Tue, 6 Sep 2005 23:55:59 -0700
Received: from lists.openswan.org (lists.openswan.org [127.0.0.1])by 
lists.openswan.org (Postfix) with ESMTP id A25824075;Wed,  7 Sep 2005 
08:27:33 +0200 (CEST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130])by 
lists.openswan.org (Postfix) with ESMTP id 900E1400Dfor 
<users at lists.openswan.org>; Tue,  6 Sep 2005 20:07:11 +0200 (CEST)
Received: by tla.xelerance.com (Postfix)id 9DAF3138006; Tue,  6 Sep 2005 
20:08:05 +0200 (CEST)
Received: from FALCON.rn-cypress.com (unknown [12.19.84.234])by 
tla.xelerance.com (Postfix) with ESMTP id 34D90138006for 
<users at openswan.org>; Tue,  6 Sep 2005 20:07:57 +0200 (CEST)
Received: from RNDOM-MTA by FALCON.rn-cypress.comwith Novell_GroupWise; Tue, 
06 Sep 2005 13:06:59 -0500
X-Message-Info: NDMZeIBu+sqeYPTIn52R9OCM1EpKVz1vF0bFonjPYO0=
X-Original-To: users at lists.openswan.org
Delivered-To: users at lists.openswan.org
Delivered-To: users at openswan.org
X-Mailer: Novell GroupWise Internet Agent 6.5.2
X-MailScanner: Found to be clean, Found to be clean, Found to be clean
X-Mailman-Approved-At: Wed, 07 Sep 2005 08:27:31 +0200
X-BeenThere: users at openswan.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion list for Openswan users <users.openswan.org>
List-Unsubscribe: 
<http://lists.openswan.org/mailman/listinfo/users>,<mailto:users-request at openswan.org?subject=unsubscribe>
List-Archive: <http://lists.openswan.org/pipermail/users>
List-Post: <mailto:users at openswan.org>
List-Help: <mailto:users-request at openswan.org?subject=help>
List-Subscribe: 
<http://lists.openswan.org/mailman/listinfo/users>,<mailto:users-request at openswan.org?subject=subscribe>
Errors-To: users-bounces at openswan.org
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-From: users-bounces at openswan.org
Return-Path: users-bounces at openswan.org
X-OriginalArrivalTime: 07 Sep 2005 06:55:59.0807 (UTC) 
FILETIME=[34328CF0:01C5B379]

I had this working from a public address (same network as the right
side) on the client before I added the nat_traversal and virtual_private
lines. Once I added those two lines the public address on the client no
longer worked. Also the client from behind a private address (dsl at
home) did not work at that time either.

?1. With nat-t on will it work from both public and private addresses?

?2. What do you see wrong that the private at home did not work?


config setup
                interfaces=%defaultroute
                nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn %default
                keyingtries=0
                disablearrivalcheck=no
                pfs=yes
                authby=secret

conn test
                type=tunnel
                left=0.0.0.0
                leftsubnet=192.168.2.58/32
                right=12.19.X.X
                rightnexthop=12.19.X.X
                rightsubnet=192.168.0.0/16
                auto=add



_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list