[Openswan Users] OpenS/WAN and Shorewall clarification

[Jim Blake]

I have an OpenS/WAN server behind a NAT-ing (shorewall) firewall, with
"nat_traversal=yes" in ipsec.conf. I am trying to set up an ipsec tunnel
from a test OpenS/WAN server on the Internet, also with
"nat_traversal=yes"

Assuming the left and right descriptors in the ipsec.conf file are right,
do I:
1) need to do anything other than open up the firewall so that port 50
(IP), port 500 (UDP) and port 4500 (UDP) can go freely in both directions
across the firewall, with the following in the "rules" file:

#       Lines added for IPsec
ACCEPT          loc             net             tcp     50
ACCEPT          net             loc             tcp     50
ACCEPT          loc             net             udp     500
ACCEPT          net             loc             udp     500
ACCEPT          loc             net             udp     4500
ACCEPT          net             loc             udp     4500


2) Need to have anything enabled in the line
      #virtual_private=%v4:10.0.0.0/24,%v4:192.168.123.0/24


Any advice gratefully received, I'm having a bad time getting a working
NAT traversal config, so any examples you care to send my way would be
good too.

Thanks Guys

Jim