[Openswan Users] OpenSWAN through a NAT-ing firewall

Jim Blake jim at blakes.homeip.net
Tue May 29 04:12:31 EDT 2007 

I have two Debian systems running OpenSWAN. They are connected either side
of a third Debian box running Shorewall and performing NAT. The
configuration is something like this:


System                System                System
SWAN----INTERNET------BASTION----Private-----DEBIAN
                                 NAT-ed
                                 subnet

Swan is on the Internet, with a public address. Bastion is a publicly
addressed firewall on the Internet with with a single public address
serving all the firewall's and the internal network's use (sometimes
called NAT overload). Debian is a privately addressed system, which
accesses the Internet via Bastion and NAT.

With IPsec stopped on both end nodes, Debian can ssh to Swan, though
because I haven't set up 1-to-1 NAT, Swan can't ssh to Debian...this may
be the problem, I didn't get time to check. Bastion can ping both end
stations, and both end stations can ping Bastion.

I have allowed TCP Port 50,  UDP port 500, UDP port 4500 through the
firewall in both directions.

With IPsec started on both systems, and the  ipsec.conf file documented
below, if I try to start the "left-to-right" tunnel, it just hangs. 
Running tcpdump, I see that the system that I just stated the tunnel from
has ARPed for the gateway, and got a response. The everything goes
quiet....

Anyone out there able to see what I'm doing wrong *this* time?

Thanks
Jim Blake


version	2.0	# conforms to second version of ipsec.conf specification

config setup
	interfaces=%defaultroute
	# klipsdebug=all
	#plutodebug=control
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:......
	# enable this if you see "failed to find any available worker"
	# nhelpers=0

conn %default
	authby=rsasig

conn left-to-right
	left=81.2.xx.yy                #Internet addressable IP
	leftsubnet=10.0.0.0/24         #Private network "behind" SWAN
	leftid=@swan.domain.com        #SWAN's FQDN
	leftrsasigkey=0sAQOl8F....     #Leftkey (from SWAN)
	leftnexthop=%defaultroute      #SWAN's default(points to Internet)
        right=192.168.123.97           #Private (NAT'ed) address of Debian
        rightsubnet=10.0.1.0/24        #Private network "behind" DEBIAN
	rightid=@debian.domain.com     #DEBIAN's FQDN
	rightrsasigkey=0sAQO......     #Leftkey (from DEBIAN)
	rightnexthop=%defaultroute     #DEBIAN's default(toBASTION)
        auto=add                       #Do nothing till I tell you to

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list