[Openswan Users] OpenSWAN through a NAT-ing firewall
jim at blakes.homeip.net
Tue May 29 04:12:31 EDT 2007
I have two Debian systems running OpenSWAN. They are connected either side
of a third Debian box running Shorewall and performing NAT. The
configuration is something like this:
System System System
Swan is on the Internet, with a public address. Bastion is a publicly
addressed firewall on the Internet with with a single public address
serving all the firewall's and the internal network's use (sometimes
called NAT overload). Debian is a privately addressed system, which
accesses the Internet via Bastion and NAT.
With IPsec stopped on both end nodes, Debian can ssh to Swan, though
because I haven't set up 1-to-1 NAT, Swan can't ssh to Debian...this may
be the problem, I didn't get time to check. Bastion can ping both end
stations, and both end stations can ping Bastion.
I have allowed TCP Port 50, UDP port 500, UDP port 4500 through the
firewall in both directions.
With IPsec started on both systems, and the ipsec.conf file documented
below, if I try to start the "left-to-right" tunnel, it just hangs.
Running tcpdump, I see that the system that I just stated the tunnel from
has ARPed for the gateway, and got a response. The everything goes
Anyone out there able to see what I'm doing wrong *this* time?
version 2.0 # conforms to second version of ipsec.conf specification
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
# Only enable klipsdebug=all if you are a developer
# NAT-TRAVERSAL support, see README.NAT-Traversal
# enable this if you see "failed to find any available worker"
left=81.2.xx.yy #Internet addressable IP
leftsubnet=10.0.0.0/24 #Private network "behind" SWAN
email@example.com #SWAN's FQDN
leftrsasigkey=0sAQOl8F.... #Leftkey (from SWAN)
leftnexthop=%defaultroute #SWAN's default(points to Internet)
right=192.168.123.97 #Private (NAT'ed) address of Debian
rightsubnet=10.0.1.0/24 #Private network "behind" DEBIAN
firstname.lastname@example.org #DEBIAN's FQDN
rightrsasigkey=0sAQO...... #Leftkey (from DEBIAN)
rightnexthop=%defaultroute #DEBIAN's default(toBASTION)
auto=add #Do nothing till I tell you to
#Disable Opportunistic Encryption
More information about the Users