[Openswan Users] windows client behind nat (was: nat problem)
Nicolelli Federico
nico at tcpsas.com
Wed Oct 25 03:15:03 EDT 2006
Jacco de Leeuw ha scritto:
> Nicolelli Federico wrote:
>
>> i have a big problem with a windows natted client and a linux openswan
>> server (2.4.7rc2 with 2.6.17.3 kernel) :
>> this is my situation:
>>
>> winz client ----> 192.168.0.1
>
> Are you sure? Isn't it 192.168.0.162?
Yes you're right :) ....
>
>> |
>> firewall ------> X.X.X.X
>> |
>> vpn terminator ---------> 62.X.X.X
>
> You forgot to blank these in your logs :-).
>
> What is the subnet behind the vpn terminator? You need to
> exclude this range in the following line:
>
>> virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8
>
> For instance, if this range is 192.168.1.0/24, it should be:
> virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8,%v4:!192.168.1.0/24
ok, now i have excluded the subnet behind the vpnt:
virtual:private=%v4:192.168.0.0/24,%v4:!10.0.0.0/8
>
>> conn nico
>> right=%any
>
> I would suggest adding rightca=%same
ok, done
>
>> auto=start
>
> This cannot be used for road warriors where right=%any.
> The road warrior initiates the connection, not Openswan.
> So Openswan has no way of knowing the road warrior's address.
> You should use:
>
> auto=add
>
>> and these are my server and my client logs:
>> Oct 24 17:30:31 omnia pluto[5977]: "nico"[3] 85.18.80.194 #3: no
>> suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
>> CN=mrcyano.graphimedia.it'
>
> I suspect that Openswan refused to load your 'conn nico' because
> of the auto=start (you did not send that part of the logs).
> Thus, your client certificate was not loaded and the connection
> rejected.
>
> Jacco
I have changed auto=start with auto=add, but i cannot connect....
logs still says:
no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
CN=mrcyano.graphimedia.it'....
Anyway thank you... :)
More information about the Users
mailing list