[Openswan Users] Help with vpn Client Through-NAT
mikewill at twcny.rr.com
Sun Sep 3 16:24:17 EDT 2006
Maybe I wasn't clear in the last email.
My VPN server (at work) is a linksys router (model RV042). It is the
primary router/NAT for work's private subnet 192.168.0.0/24 and the
internet. I can configure the tunnel for the router (up to 50 of them),
and my best/only VPN option at the moment appears to be an IPSEC tunnel
using pre-shared keys. I have no idea what OS the linksys router is
using, I can only fool with the web forms to configure it.
My VPN client (at home) is a linux box running openswan. It is sitting
on subnet 192.168.15.0/24 behind a linksys RT31P2 NAT.
The commands and config file I sent you were all from the client. The
"left" was the client side, and according to the only wiki entry I could
find about this:
my client is following the pattern suggested in the "mynatconn"
configuration except for the rightnexthop (which I don't know and set as
%defaultroute). The example in the wiki apears to be contrary to your
comments about left and leftnexthop being in the same subnet as
leftsubnet. I guess I need to do some more reading....
Thanks for the help,
Paul Wouters wrote:
> On Sun, 3 Sep 2006, Michael Williamson wrote:
>> I could use a hand/advice with trying to get a linux VPN client chatting
>> with a linksys rv042 through a linksys RT31P2 running NAT...
>> The encryption method is shared key, my understanding is that kernels >
> It is better to use authby=rsakey if using linux-linux connections.
> It also works a bit better with NAT-T, since authby=secret depends
> on the IP address, which changes with NAT.
>> 2.6.6 contain the necessary support for nat traversal (read somewhere on
>> the openswan wiki...)?
> You are using netkey, so you are fine, yes.
>> Here is my ipsec.conf file:
>> config setup
> Note that on the serer end you need a virtual_private=%v4:192.168.15.0/24
>> config cl
>> # Left security gateway, subnet behind it, nexthop toward right.
> you cannot have a leftsubnet that is not behind left. In your case,
> left and the leftnexthop are within the leftsubnet. You can't get to
> yourself via yourself. You should seperate the client's IP from the
> subnet it needs to tunnel, if that is what you were trying to do?
>> ->ipsec auto --up cl
>> 104 "cl" #2: STATE_MAIN_I1: initiate
>> 010 "cl" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
> Is this the client or the server? You cannot initiate from server to client
> behind nat. So if this is the server, it will not work. Not even with "IPsec
> passthrough". In fact, you MUST disable "IPsec passthrough".
> If this is the client initiating, then you should see some logentries on
> the server. If you don't, then your firewall or network is blocking packets
> on UDP 500.
More information about the Users