[Openswan Users] R: Ipsec/l2tp server behind nat, again(2)
Tuomo Soini
tis at foobar.fi
Thu Oct 9 01:11:58 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lux wrote:
>> Da: Brad Johnson [mailto:bjohnson at astrocorp.com]
>> Inviato: mercoledì 8 ottobre 2008 18.19
>
>> If incoming packets to OpenSwan are being DNAT''ed (port
>> forwarded) by
>> the NAT device, how could OpenSwan possibly realize it is being
>> contacted via 12.34.112.177?
>> I think you may need to add a leftid to your server config,
>> like this maybe:
>>
>> leftid=12.34.112.177
>
> I agree with you that I need some way to tell Openswan that that Ip address
> refers to the Openswan vox itself. But how?
> I tried with leftid, but with no result.
> The only result I could find, which confirms the idea, is that if I put in
> the config a line stating
> leftsubnet=12.34.112.177/32
> In this scenario the IPSec tunnel can be initiated regularly, because
> Openswan receives a request to create a tunnel from 192.168.1.100/ to
> 12.34.112.177/32 , and it actually does this.
> So Openswan creates this tunnel, "thinking" that 12.34.112.177 is someone
> else' address.
>
> Obviusly I don't know what to do with this tunnel, since a computer with
> 12.34.112.177 as the address does not effectively exist, and any traffic
> (particularly l2tp) I wanted to go through the tunnel, should come from that
> address.
hack I once used was to add real ip of firewall as loopback alias with
/32 netmask. But that's ugly hack.
- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFI7ZKeTlrZKzwul1ERAmGKAJkBRk4HEbthjd//+K8QcLD2i40hXQCgtnQr
UqqmoIgAv5NL6Y162dcevJ0=
=Qxfb
-----END PGP SIGNATURE-----
More information about the Users
mailing list