[Openswan Users] One side NAT other side not??
Andy Gay
andy at andynet.net
Thu Aug 24 14:16:22 EDT 2006
On Thu, 2006-08-24 at 10:35 -0600, jham at gnumax.com wrote:
> I have a question on Openswan configuration for a tunnel through OpenSwan
> and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.
>
> 10.1.0.0/16--10.1.254.1-PublicNATIP----------PublicNONATIP--10.2.0.0/16
> LAN1-----------LinuxGW/OpenSwan-----(Internet)-----CPGW---------LAN2
>
> The connection negotiates successfully and we can see remote initiated ESP
> traffic incoming and local initiated ESP outgoing on the Linux/OpenSwan GW
> but no responses on either end. The problem appears to be the NAT side.
> The CP side is not capable of NATT traversal.
If I understand this, your Openswan box is behind a NAT gateway. In that
case, it'll never work if the CP won't do NAT-T. Both ends have to agree
to do that.
Are you sure it's really "not capable" of NAT-T? Seems surprising, most
stuff can do that these days.
> I found an FAQ on a
> SmoothWall connection that references one side NAT-ting.
> The solution suggested is as follows for the LinuxGW ipsec.conf
>
> Left: 10.1.254.1 (local private IP)
> Left ID: PublicNATIP (local public IP)
> Left subnet: 10.1.0.0/16
> Right: CP PublicNONATIP (remote public IP)
> Right subnet: 10.2.0.0/16
>
> Is this correct??
> I have been unsucessful to this point applying any PRE-Routing rules to
> disable NAT to the remote destination.
Now I'm confused. What's doing the NAT here?
>
> Any help would be greatly appreciated! Thanks
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list