[Openswan Users] windows client behind nat (was: nat problem)

Nicolelli Federico nico at tcpsas.com
Wed Oct 25 03:15:03 EDT 2006


Jacco de Leeuw ha scritto:
> Nicolelli Federico wrote:
> 
>> i  have a big problem with a windows natted client and a linux openswan
>> server (2.4.7rc2 with 2.6.17.3 kernel) :
>> this is my situation:
>>
>> winz client ----> 192.168.0.1
> 
> Are you sure? Isn't it 192.168.0.162?

Yes you're right :) ....
> 
>>   |
>> firewall ------> X.X.X.X
>>  |
>> vpn terminator ---------> 62.X.X.X
> 
> You forgot to blank these in your logs :-).
> 
> What is the subnet behind the vpn terminator? You need to
> exclude this range in the following line:
> 
>>         virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8
> 
> For instance, if this range is 192.168.1.0/24, it should be:
>    virtual_private=%v4:192.168.0.0/24,%v4:10.0.0.0/8,%v4:!192.168.1.0/24

ok, now i have excluded the subnet behind the vpnt:
    virtual:private=%v4:192.168.0.0/24,%v4:!10.0.0.0/8

> 
>> conn nico
>>         right=%any
> 
> I would suggest adding rightca=%same
ok, done
> 
>>         auto=start
> 
> This cannot be used for road warriors where right=%any.
> The road warrior initiates the connection, not Openswan.
> So Openswan has no way of knowing the road warrior's address.
> You should use:
> 
>    auto=add
> 
>> and these are my server and my client logs:
>> Oct 24 17:30:31 omnia pluto[5977]: "nico"[3] 85.18.80.194 #3: no
>> suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
>> CN=mrcyano.graphimedia.it'
> 
> I suspect that Openswan refused to load your 'conn nico' because
> of the auto=start (you did not send that part of the logs).
> Thus, your client certificate was not loaded and the connection
> rejected.
> 
> Jacco
I have changed auto=start with auto=add, but i cannot connect....
logs still says:
no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan,
CN=mrcyano.graphimedia.it'....

Anyway thank you... :)


More information about the Users mailing list