[Openswan Users] Configure net-to-net vpn with both vpn servers behind adsl nat routers
Paul Wouters
paul at xelerance.com
Tue Mar 6 14:21:20 EST 2007
On Tue, 6 Mar 2007, Xavi Deop wrote:
> Hi, I have the following scenario, and I would like to create a vpn with
> natt suport.
>
> LAN_1 ------ vpn server --- router adsl ------ internet---- router adsl
> ----- vpn server ----- LAN_2
This is a very difficult scenario because both endpoints are behind NAT. If
your vpnserver really has two ethernets, then it becomes a bit easier. If
they only have one ethernet, then it becomes next to impossible without
advanced route/ifconfig hacking.
You would safe yourself a LOT of trouble by giving at least one vpn server
a publicly reachable IP address. If you do not do this, you need to do some
portforwarding on one or both DSL routers for ports 500 and 4500 UDP to
the vpn server.
The setup in these cases are similar to a standard net-to-net configuration.
just be aware that if you only have one interface, you have the problem that
left=yourip is part of leftsubnet=yourlan/mask which will not work.
for two interfaces, it becomes something like:
conn net-to-net
left=10.0.1.2
leftid=@leftnet
leftrsasigkey=0sA.....
leftsubnet=192.168.0.0/24
right=ipofothergateway
rightid=@rightnet
rightrsasigkey=0sA.....
rightsubnet=192.168.1.0/24
authby=rsasigkey
auto=start
obtain the rsasigkey statements using the command ipsec showhostkey --left (or --right)
> I'm working with slackware 10.1 and kernel 2.16.12
>
> I have to install the kernell natt patch??
If you use netkey, you do not need the natt patch.
Paul
More information about the Users
mailing list