[Openswan Users] OpenSWAN through a NAT-ing firewall

Jim Blake jim at blakes.homeip.net
Tue May 29 04:12:31 EDT 2007

I have two Debian systems running OpenSWAN. They are connected either side
of a third Debian box running Shorewall and performing NAT. The
configuration is something like this:

System                System                System

Swan is on the Internet, with a public address. Bastion is a publicly
addressed firewall on the Internet with with a single public address
serving all the firewall's and the internal network's use (sometimes
called NAT overload). Debian is a privately addressed system, which
accesses the Internet via Bastion and NAT.

With IPsec stopped on both end nodes, Debian can ssh to Swan, though
because I haven't set up 1-to-1 NAT, Swan can't ssh to Debian...this may
be the problem, I didn't get time to check. Bastion can ping both end
stations, and both end stations can ping Bastion.

I have allowed TCP Port 50,  UDP port 500, UDP port 4500 through the
firewall in both directions.

With IPsec started on both systems, and the  ipsec.conf file documented
below, if I try to start the "left-to-right" tunnel, it just hangs. 
Running tcpdump, I see that the system that I just stated the tunnel from
has ARPed for the gateway, and got a response. The everything goes

Anyone out there able to see what I'm doing wrong *this* time?

Jim Blake

version	2.0	# conforms to second version of ipsec.conf specification

config setup
	# klipsdebug=all
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
	# Only enable klipsdebug=all if you are a developer
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# virtual_private=%v4:,%v4:,%v4:......
	# enable this if you see "failed to find any available worker"
	# nhelpers=0

conn %default

conn left-to-right
	left=81.2.xx.yy                #Internet addressable IP
	leftsubnet=         #Private network "behind" SWAN
	leftid=@swan.domain.com        #SWAN's FQDN
	leftrsasigkey=0sAQOl8F....     #Leftkey (from SWAN)
	leftnexthop=%defaultroute      #SWAN's default(points to Internet)
        right=           #Private (NAT'ed) address of Debian
        rightsubnet=        #Private network "behind" DEBIAN
	rightid=@debian.domain.com     #DEBIAN's FQDN
	rightrsasigkey=0sAQO......     #Leftkey (from DEBIAN)
	rightnexthop=%defaultroute     #DEBIAN's default(toBASTION)
        auto=add                       #Do nothing till I tell you to

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list