[Openswan Users] host to host behind NAT
Paul Wouters
paul at xelerance.com
Sun Oct 21 21:20:14 EDT 2007
On Sun, 21 Oct 2007, raphael at depinfo.com wrote:
> config setup
> forwardcontrol=yes
> interfaces=%defaultroute
> nat_traversal=yes
> plutodebug=control
> virtual_private=%v4:10.0.0.0/8,%v4:128.0.0.0/16,%v4:192.168.0.0/24,%v4:!192.168.1.0/24
>
> conn %default
> authby=secret
So your default is changed from RSA to PSK
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn RPV
> left=10.0.0.10
> leftid="####"
> leftcert=newcert.pem
> leftnexthop=%defaultroute
> leftsubnet=192.168.1.0/24
> right=public ip host B
> rightnexthop=%defaultroute
> rightid="####"
> rightsubnet=128.0.0.0/16
> auto=add
So the certs are not used here, because certs are only used with RSA.
> iptable :
>
> iptables -A INPUT -p udp --dport 4500 -j ACCEPT
> iptables -A INPUT -p udp --sport 4500 -j ACCEPT
I think you mean yo use -A OUTPUT here?
> iptables -A INPUT -p 50 -j ACCEPT
> iptables -A INPUT -p 51 -j ACCEPT
> iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --dport 500 -j ACCEPT
> iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --sport 500 -j ACCEPT
> iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --sport 4500 -j ACCEPT
> iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --dport 4500 -j ACCEPT
> iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT
> iptables -A FORWARD -d 10.0.0.10/16 -i ipsec+ -j ACCEPT
>
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 128.0.0.0/16 -j MASQUERADE
> 004 "RPV" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9e48c21a <0x36726b37 xfrm=AES_0-HMAC_SHA1 NATD=PublicIP
> Host B:4500 DPD=none}
>
> Connection established, but no ping from W2K3 Host A and W2K3 Host B
Probably because you block outgoing udp 4500 packets (ESPinUDP)
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list