[Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT

Meron Lavie lavie at netvision.net.il
Mon Jul 17 01:55:26 CEST 2006 

In continuance of yesterday's correspondence, I downloaded the source and
successfully made/installed Openswan 2.4.5, which is supposed to support
NAT-ed servers. 

Since all my company's WinXP's are NAT-ted, I added "
rightsubnet=vhost:%no,%priv ". However, if I add that parameter then my
internal connection doesn't work anymore, and if I try "ipsec verify", I
get:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5/K2.6.17-1.2145_FC5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

What am I doing wrong now?

TIA

Lavie

=====================================
IPSEC.CONF
version 2.0     # conforms to second version of ipsec.conf specification
        
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="control parsing"
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.1.0/24
        
conn L2TP-PSK-INTERNAL
        authby=secret
        pfs=no  
        rekey=no
        keyingtries=3
        left=192.168.1.254
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        auto=add

conn L2TP-PSK-EXTERNAL
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=10.0.0.1
        leftnexthop=10.0.0.138
        leftid=10.0.0.1
        leftprotoport=17/%any
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        rightid=@NATted.hostname.com
        auto=add

#include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list