[Openswan Users] VPN server in private net?

Andy fs at globalnetit.com
Wed Jan 25 11:12:52 CET 2006

On Tue, 2006-01-24 at 20:40 -0800, Jerry Kaidor wrote:
> Hi folks,
>    My customer moved, and got a new DSL with a new ISP.  It's a dynamic
> IP.  Unfortunately, it's also a PRIVATE ( 172.16 ) IP, and she has no
> public address whatsoever!
Clearly there must be a public address somewhere, or she wouldn't be
able to reach any place on the Internet. So obviously something is doing
NAT here. Usually that would be the DSL router, which is often provided
by the ISP, but you should be able to configure it.
Or are you saying the NAT is being done at the ISP? Possible I guess.
That would make things difficult. Probably you'd need to ask the ISP for

Either way, you have to find a way to (a) discover the public IP; and
(b) permit incoming ipsec (NAT-T) traffic to that address.

You may be able to use a dynamic DNS service to do (a). Check out
http://www.no-ip.com/, they have some really useful tools for this,
including a FREE DDNS service.

If you control the DSL router, there should be a way to set up port
forwarding to allow (b) to work.

>    I'm sure I can use NAT-T to have this server connect OUT to another
> openswan machine.  But I can't imagine any way a road warrier could
> connect IN to it.

The road warrior would need to use the DDNS to find the server. If the
server's address changes, you have to restart the client. A simple
script checking the DNS for changes should work.

>    Anybody else dealt with this?
>                          - Jerry Kaidor ( jerry at tr2.com )
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
Andy <fs at globalnetit.com>

More information about the Users mailing list