[Openswan Users] win-client - openswan server with nat
Jacco de Leeuw
jacco2 at dds.nl
Thu Nov 2 09:24:26 EST 2006
Paul Wouters wrote:
> On Wed, 18 Oct 2006, Jacco de Leeuw wrote:
>>> rightsubnet=vhost:%no,%priv
>>
>>You need to remove this line if you use PSKs and NAT.
>
> Can you explain that to me? Isnt this always needed for NAT-T, even
> when in host-host transport mode? Why does it only relate to PSK?
Hm, you're right. I guess I was confused with Openswan used as the
initiator. Then the connection fails if you use rightsubnet with a
PSK and NAT.
On a slightly related note, does this work for you?
conn l2tp-X.509
authby=rsasig
pfs=no
auto=add
rekey=no
left=%defaultroute
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
It appears that L2TP packets get sent in the clear, unless you
set right=x.x.x.x, rightprotoport=17/1701 or remove rightsubnet=.
Using rightprotoport=17/1701 would be the easiest solution, at the
expense of shutting out MacOS X clients.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list