[Openswan Users] R: Ipsec/l2tp server behind nat, again(2)

Tuomo Soini tis at foobar.fi
Thu Oct 9 01:11:58 EDT 2008

Hash: SHA1

Lux wrote:
>> Da: Brad Johnson [mailto:bjohnson at astrocorp.com] 
>> Inviato: mercoledì 8 ottobre 2008 18.19
>> If incoming packets to OpenSwan are being DNAT''ed (port 
>> forwarded) by 
>> the NAT device, how could OpenSwan possibly realize it is being 
>> contacted via
>> I think you may need to add a leftid to your server config, 
>> like this maybe:
>> leftid=
> I agree with you that I need some way to tell Openswan that that Ip address
> refers to the Openswan vox itself. But how? 
> I tried with leftid, but with no result.
> The only result I could find, which confirms the idea, is that if I put in
> the config a line stating 
> leftsubnet=
> In this scenario the IPSec tunnel can be initiated regularly, because
> Openswan receives a request to create a tunnel from to
> , and it actually does this. 
> So Openswan creates this tunnel, "thinking" that is someone
> else' address.
> Obviusly I don't know what to do with this tunnel, since a computer with
> as the address does not effectively exist, and any traffic
> (particularly l2tp) I wanted to go through the tunnel, should come from that
> address.

hack I once used was to add real ip of firewall as loopback alias with
/32 netmask. But that's ugly hack.

- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Version: GnuPG v1.4.5 (GNU/Linux)


More information about the Users mailing list