[Openswan Users] OpenSwan behind a NAT
Daniel Bautista
dbautista at duocom.es
Fri Mar 7 05:03:50 EST 2008
Hi to all!
We have a problem configuring our IPSec with OpenSwan, because one of our
points of the connection is behind a NAT. Surely this problem has been posted
before so I hope you can tell me where to search or a solution for this
situation.
We had a previous working configuration (when there was no NAT) like this:
/etc/ipsec.conf:
version 2.0
conn A-to-B
type=tunnel
compress=yes
left=197.221.84.68
leftsubnet=10.36.3.0/24
leftid=@A.domain1.com
leftrsasigkey=d8dufi9wef8sdf98wduf...
leftnexthop=%defaultroute
right=82.61.111.246
rightsubnet=10.36.30.0/24
rightid=@B.domain2.es
rightrsasigkey=f98uer98ef9we8fuwe9...
rightnexthop=%defaultroute
auto=start
conn packetdefault
auto=ignore
conn private
auto=ignore
conn clear
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
The machines were:
A: (eth0 197.221.84.68 - eth0:0 10.36.3.5 - default gw 197.221.84.67)
B: (eth0 82.61.111.246 - eth0:0 10.36.30.7 - default gw 82.61.111.3)
It worked because A and B weren't behind a NAT. But now we want to put B
behind a NAT, this way:
A: (remains the same)
B: (eth0: 10.36.30.7 - no eth0:0 - default gw 10.36.30.3)
router/NAT: (private 10.36.30.3 - public 82.61.105.87)
What is the best configuration for this? Do we have to use the nat_traversal
option? Do we have to redirect udp ports 500 and 4500 in the router to
10.36.30.7? It seems the router has a NATT option, should we have to use it?
Our software in both machines:
iproute2 2.4.7
OpenSwan 2.4.3
Slackware 9.1
Kernel 2.4.22 with klips and natt patches
Thanks in advance,
Daniel
More information about the Users
mailing list