[Openswan Users] questions based on the VPN behind the NAT Box.

Shi Lang shilang at greenpacket.com
Wed Jan 18 09:16:39 CET 2006


Hi all,

 

I have two questions based on the VPN behind the NAT Box.

 

****************************************************************************
****************************************************************************
*********

(192.168.6.6) VPN1 (192.168.11.1) --- (br0:192.168.11.11) NAT1 (eth0:
192.168.252.198)  -----  (eth0: 192.168.252.199) NAT2 (br0: 192.168.22.22)
--- (192.168.22.2) VPN2 (192.168.8.8)

 

NAT1 and NAT2 and Linux OS.

 

On NAT1 Pure Linux PC I did:

1. ifconfig eth0:1 192.168.252.104        * 192.168.252.104 is the mapping
ip of 192.168.11.1, the VPN1's external interface eth0.

2. iptables -t nat -I POSTROUTING 1 -s 192.168.11.1 -j SNAT --to-source
192.168.252.104

3. iptables -t nat -I POSTROUTING 1 -d 192.168.252.104 -j DNAT --to-dest
192.168.11.1

 

I also did settings on NAT2, mapping 192.168.22.2 to 192.168.252.105.

 

****************************************************************************
****************************************************************************
*********

 

I have successfully established the tunnel between VPN1 and VPN2.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1.  But my first try is without Leftid and Rightid in the ipsec.conf in VPN1
and VPN2,

it failed to establish the M3 negotiation (m1 and m2 in Main Mode is ok, i
checked with 'ipsec auto --status').

IKE RFC 2409 says: Main Mode, the last two messages authenticate the DH
exchange.

 

2.  But if VPN1 direct to VPN2 (without NAT Box), then without leftid and
rightid can establish the tunnel at this time.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

My questions:

 

1. 

I am wonderring what purpose of the system identifier id (left and right) in
the ipsec.conf?

I refered some papers, but i am still in the mist.

 

Hope to get advise from you, especially why specify the 'left=ip' and
'right=ip' are not enough for such case vpn behind NAT Box(firewall). why
need leftid and rightid?

 

2.

I used pure linux os as a NAT1 and NAT2 firewall, but once i restart, the
ipconfig eth0:1, and iptables setting will be lost, i need to redo the three
settings.

I am wonderring also at this time, for this case, any other way can
configure the linux to be permanent has the above three settings?

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Thanks very much.

 

Regards,

 

Shi Lang

Quality Assurance Engineer

GreenPacket Bhd

www.greenpacket.com <http://www.greenpacket.com/>  

Tel: 006-03-89966022 ext: 105
E-mail:  <mailto:shilang at greenpacket.com> shilang at greenpacket.com

 

 

 

Regards,

 

Shi Lang

Quality Assurance Engineer

GreenPacket Bhd

www.greenpacket.com <http://www.greenpacket.com/>  

Tel: 006-03-89966022 ext: 105
E-mail:  <mailto:shilang at greenpacket.com> shilang at greenpacket.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060118/72e9e943/attachment.htm


More information about the Users mailing list