[Openswan Users] Ipsec/l2tp server behind nat, again(2)
openswan at iotti.biz
Wed Oct 8 11:36:09 EDT 2008
Sorry for opening a third thread on the same issue, but I'm still unable to
get a working l2tp/ipsec server behind nat, and I begin to wonder if anyone
has got it working with Openswan 2.6.x.
I just upgraded to Openswan 2.6.18 and switched from PSK to certificate
authentication, with no results.
My setup is this:
Real IP address
In simple words, the server with IP 192.168.0.100 is visible to the outside
world through 184.108.40.206.
When I try to connect, I find in the Openswan logs:
| find_host_pair: comparing to 192.168.0.100:500 0.0.0.0:500
| checking hostpair 192.168.0.100/32 -> 0.0.0.0/32 is found
| match_id a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
E=xxxxx at iotti.biz
| results matched
| trusted_ca called with a=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
CN=lux CA, E=xxxxx at iotti.biz b=C=IT, ST=RE, L=Reggio Emilia, O=Lux Servizi,
CN=lux CA, E=xxxxx at iotti.biz
| fc_try trying roadwarrior-l2tp:220.127.116.11/32:17/1701 ->
192.168.1.100/32:17/1701(virt) vs roadwarrior-l2tp:192.168.0.100/32:17/1701
| our client(192.168.0.100/32) not in our_net (18.104.22.168/32)
"roadwarrior-l2tp" 22.214.171.124 #1: cannot respond to IPsec SA request
because no connection is known for
IT, ST=RE, L=Reggio Emilia, O=Lux Servizi, CN=Lux,
E=xxxxx at iotti.biz,+S=C]:17/1701===192.168.1.100/32
Looking at the line "our client(192.168.0.100/32) not in our_net
(126.96.36.199/32)" it seems that Openswan is unable to realize that, due to
nat translation, it is being contacted via the public IP address
188.8.131.52), and that this public IP is simply the IP that was reserved
for Openswan itself.
I tried with and without type=transport obtaining the same result.
Any ideas to get this to work?
My config :
plutodebug="parsing emitting lifecycle dns oppo control controlmore
pfkey nattraversal x509"
More information about the Users