[Openswan Users] OpenSwan behind a NAT

Paul Wouters paul at xelerance.com
Fri Mar 7 05:52:18 EST 2008

On Fri, 7 Mar 2008, Daniel Bautista wrote:

> We had a previous working configuration (when there was no NAT) like this:

>     left=
>     leftsubnet=

>     right=
>     rightsubnet=

> It worked because A and B weren't behind a NAT. But now we want to put B
> behind a NAT, this way:

> B: (eth0: - no eth0:0 - default gw
> router/NAT: (private - public

Your milage may vary, because now you need to have a left= that is part
of leftsubnet=. I've heard different stories about the success of such a

> What is the best configuration for this? Do we have to use the nat_traversal
> option? Do we have to redirect udp ports 500 and 4500 in the router to
> It seems the router has a NATT option, should we have to use it?

use nat_traversal and virtual_private. Disable all IPsec options on the
router. if you cannot disable all the options on the router, invest $60 in
a linksys.

> OpenSwan 2.4.3

That's a retracted version of Openswan. It existed for 4 days between
Nov 14-18 2005 before a new security release 2.4.4 was made. You should
not be running it. Upgrade to 2.4.12.


More information about the Users mailing list