[Openswan Users] OpenSwan behind a NAT

Paul Wouters paul at xelerance.com
Fri Mar 7 05:52:18 EST 2008


On Fri, 7 Mar 2008, Daniel Bautista wrote:

> We had a previous working configuration (when there was no NAT) like this:

>     left=197.221.84.68
>     leftsubnet=10.36.3.0/24

>     right=82.61.111.246
>     rightsubnet=10.36.30.0/24

> It worked because A and B weren't behind a NAT. But now we want to put B
> behind a NAT, this way:

> B: (eth0: 10.36.30.7 - no eth0:0 - default gw 10.36.30.3)
> router/NAT: (private 10.36.30.3 - public 82.61.105.87)

Your milage may vary, because now you need to have a left= that is part
of leftsubnet=. I've heard different stories about the success of such a
setup.

> What is the best configuration for this? Do we have to use the nat_traversal
> option? Do we have to redirect udp ports 500 and 4500 in the router to
> 10.36.30.7? It seems the router has a NATT option, should we have to use it?

use nat_traversal and virtual_private. Disable all IPsec options on the
router. if you cannot disable all the options on the router, invest $60 in
a linksys.

> OpenSwan 2.4.3

That's a retracted version of Openswan. It existed for 4 days between
Nov 14-18 2005 before a new security release 2.4.4 was made. You should
not be running it. Upgrade to 2.4.12.

Paul



More information about the Users mailing list