[Openswan Users] Help with vpn Client Through-NAT

Paul Wouters paul at xelerance.com
Sun Sep 3 13:19:56 EDT 2006

On Sun, 3 Sep 2006, Michael Williamson wrote:

> I could use a hand/advice with trying to get a linux VPN client chatting
> with a linksys rv042 through a linksys RT31P2 running NAT...

> The encryption method is shared key, my understanding is that kernels >

It is better to use authby=rsakey if using linux-linux connections.
It also works a bit better with NAT-T, since authby=secret depends
on the IP address, which changes with NAT.

> 2.6.6 contain the necessary support for nat traversal (read somewhere on
> the openswan wiki...)?

You are using netkey, so you are fine, yes.

> Here is my ipsec.conf file:
> config setup
>     nat_traversal=yes

Note that on the serer end you need a virtual_private=%v4:

> config cl
> # Left security gateway, subnet behind it, nexthop toward right.
>     authby=secret
>     left=
>     leftid=w.x.y.z
>     leftnexthop=
>     leftsubnet=

you cannot have a leftsubnet that is not behind left. In your case,
left and the leftnexthop are within the leftsubnet. You can't get to
yourself via yourself. You should seperate the client's IP from the
subnet it needs to tunnel, if that is what you were trying to do?

> ->ipsec auto --up cl
> 104 "cl" #2: STATE_MAIN_I1: initiate
> 010 "cl" #2: STATE_MAIN_I1: retransmission; will wait 20s for response

Is this the client or the server? You cannot initiate from server to client
behind nat. So if this is the server, it will not work. Not even with "IPsec
passthrough". In fact, you MUST disable "IPsec passthrough".
If this is the client initiating, then you should see some logentries on
the server. If you don't, then your firewall or network is blocking packets
on UDP 500.


More information about the Users mailing list