[Openswan Users] Help with vpn Client Through-NAT

Michael Williamson mikewill at twcny.rr.com
Sun Sep 3 16:24:17 EDT 2006 

Hello Paul,

Maybe I wasn't clear in the last email.

My VPN server (at work) is a linksys router (model RV042).  It is the 
primary router/NAT for work's private subnet 192.168.0.0/24 and the 
internet.  I can configure the tunnel for the router (up to 50 of them), 
and my best/only VPN option at the moment appears to be an IPSEC tunnel 
using pre-shared keys.  I have no idea what OS the linksys router is 
using, I can only fool with the web forms to configure it.

My VPN client (at home) is a linux box running openswan.  It is sitting 
on subnet 192.168.15.0/24 behind a linksys RT31P2 NAT.

The commands and config file I sent you were all from the client.  The 
"left" was the client side, and according to the only wiki entry I could 
find about this:

http://wiki.openswan.org/index.php/Openswan/NatTraversal

my client is following the pattern suggested in the "mynatconn" 
configuration except for the rightnexthop (which I don't know and set as 
%defaultroute).  The example in the wiki apears to be contrary to your 
comments about left and leftnexthop being in the same subnet as 
leftsubnet.  I guess I need to do some more reading....

Thanks for the help,

-Mike








Paul Wouters wrote:
> On Sun, 3 Sep 2006, Michael Williamson wrote:
>
>   
>> I could use a hand/advice with trying to get a linux VPN client chatting
>> with a linksys rv042 through a linksys RT31P2 running NAT...
>>     
>
>   
>> The encryption method is shared key, my understanding is that kernels >
>>     
>
> It is better to use authby=rsakey if using linux-linux connections.
> It also works a bit better with NAT-T, since authby=secret depends
> on the IP address, which changes with NAT.
>
>   
>> 2.6.6 contain the necessary support for nat traversal (read somewhere on
>> the openswan wiki...)?
>>     
>
> You are using netkey, so you are fine, yes.
>
>   
>> Here is my ipsec.conf file:
>>
>> config setup
>>     nat_traversal=yes
>>     
>
> Note that on the serer end you need a virtual_private=%v4:192.168.15.0/24
>
>   
>> config cl
>> # Left security gateway, subnet behind it, nexthop toward right.
>>     authby=secret
>>     left=192.168.15.104
>>     leftid=w.x.y.z
>>     leftnexthop=192.168.15.1
>>     leftsubnet=192.168.15.0/24
>>     
>
> you cannot have a leftsubnet that is not behind left. In your case,
> left and the leftnexthop are within the leftsubnet. You can't get to
> yourself via yourself. You should seperate the client's IP from the
> subnet it needs to tunnel, if that is what you were trying to do?
>
>   
>> ->ipsec auto --up cl
>> 104 "cl" #2: STATE_MAIN_I1: initiate
>> 010 "cl" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
>>     
>
> Is this the client or the server? You cannot initiate from server to client
> behind nat. So if this is the server, it will not work. Not even with "IPsec
> passthrough". In fact, you MUST disable "IPsec passthrough".
> If this is the client initiating, then you should see some logentries on
> the server. If you don't, then your firewall or network is blocking packets
> on UDP 500.
>
> Paul
>
>

More information about the Users mailing list