[Openswan Users] windows client behind nat (was: nat problem)
Jacco de Leeuw
jacco2 at dds.nl
Tue Oct 24 16:40:25 EDT 2006
Nicolelli Federico wrote:
> i have a big problem with a windows natted client and a linux openswan
> server (2.4.7rc2 with 2.6.17.3 kernel) :
> this is my situation:
>
> winz client ----> 192.168.0.1
Are you sure? Isn't it 192.168.0.162?
> |
> firewall ------> X.X.X.X
> |
> vpn terminator ---------> 62.X.X.X
You forgot to blank these in your logs :-).
What is the subnet behind the vpn terminator? You need to
exclude this range in the following line:
> virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8
For instance, if this range is 192.168.1.0/24, it should be:
virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8,%v4:!192.168.1.0/24
> conn nico
> right=%any
I would suggest adding rightca=%same
> auto=start
This cannot be used for road warriors where right=%any.
The road warrior initiates the connection, not Openswan.
So Openswan has no way of knowing the road warrior's address.
You should use:
auto=add
> and these are my server and my client logs:
> Oct 24 17:30:31 omnia pluto[5977]: "nico"[3] 85.18.80.194 #3: no
> suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
> CN=mrcyano.graphimedia.it'
I suspect that Openswan refused to load your 'conn nico' because
of the auto=start (you did not send that part of the logs).
Thus, your client certificate was not loaded and the connection
rejected.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list