[Openswan Users] WinXP Behind Nat to Openswan Server Behind NAT
Paul Wouters
paul at xelerance.com
Tue Jul 18 06:56:58 CEST 2006
On Mon, 17 Jul 2006, Meron Lavie wrote:
> Hi Paul,
>
> Not true - I did. I can only assume that the rightsubnet=vhost:%no,%priv
> option is causing Pluto to fail shortly after starting via "service ipsec
> start".
Ahh, then it crashed between starting and running ipsec verify.
Indeed, with the logs files you quote I can now see the assertion failure.
> BTW - why is " rightsubnet=vhost:%no,%priv" not documented in the ipsec.conf
> man page? In fact, rightsubnet doesn't appear at all.
All options that can be written as left* and right* are only discussed as left*
in the man page. Not all NAT options have made it into the man page. That still
needs to be fixed indeed. Unfortunately, our man pages build system is a bit
unclear at this point, and therefor not all updated options have been added
to their respective man pages (this is bug #154).
I have however added examples for l2tp using NAT in /etc/ipsec.d/examples/ a
few openswan versions ago. You could take a look at those.
> --virtual_private
> %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
> Jul 17 09:26:58 lavie010 ipsec__plutorun: 003 ASSERTION FAILED at
> connections.c:1382: isanyaddr(&c->spd.that.host_addr)
This is also a known bug, see: http://bugs.xelerance.com/view.php?id=492
As a work around, please use rightprototype=17/1701 and avoid using "%any"
in the protortype keyword.
Paul
More information about the Users
mailing list