[Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT

Paul Wouters paul at xelerance.com
Tue Jul 18 06:56:58 CEST 2006

On Mon, 17 Jul 2006, Meron Lavie wrote:

> Hi Paul,
> Not true - I did. I can only assume that the rightsubnet=vhost:%no,%priv
> option is causing Pluto to fail shortly after starting via "service ipsec
> start".

Ahh, then it crashed between starting and running ipsec verify.
Indeed, with the logs files you quote I can now see the assertion failure.

> BTW - why is " rightsubnet=vhost:%no,%priv" not documented in the ipsec.conf
> man page? In fact, rightsubnet doesn't appear at all.

All options that can be written as left* and right* are only discussed as left*
in the man page. Not all NAT options have made it into the man page. That still
needs to be fixed indeed. Unfortunately, our man pages build system is a bit
unclear at this point, and therefor not all updated options have been added
to their respective man pages (this is bug #154).
I have however added examples for l2tp using NAT in /etc/ipsec.d/examples/ a
few openswan versions ago. You could take a look at those.

> --virtual_private
> %v4:,%v4:,%v4:,%v4:!
> Jul 17 09:26:58 lavie010 ipsec__plutorun: 003 ASSERTION FAILED at
> connections.c:1382: isanyaddr(&c->spd.that.host_addr)

This is also a known bug, see: http://bugs.xelerance.com/view.php?id=492

As a work around, please use rightprototype=17/1701 and avoid using "%any"
in the protortype keyword.


More information about the Users mailing list