[Openswan Users] R: Ipsec/l2tp server behind nat, again(2)
tis at foobar.fi
Thu Oct 9 01:11:58 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
>> Da: Brad Johnson [mailto:bjohnson at astrocorp.com]
>> Inviato: mercoledì 8 ottobre 2008 18.19
>> If incoming packets to OpenSwan are being DNAT''ed (port
>> forwarded) by
>> the NAT device, how could OpenSwan possibly realize it is being
>> contacted via 188.8.131.52?
>> I think you may need to add a leftid to your server config,
>> like this maybe:
> I agree with you that I need some way to tell Openswan that that Ip address
> refers to the Openswan vox itself. But how?
> I tried with leftid, but with no result.
> The only result I could find, which confirms the idea, is that if I put in
> the config a line stating
> In this scenario the IPSec tunnel can be initiated regularly, because
> Openswan receives a request to create a tunnel from 192.168.1.100/ to
> 184.108.40.206/32 , and it actually does this.
> So Openswan creates this tunnel, "thinking" that 220.127.116.11 is someone
> else' address.
> Obviusly I don't know what to do with this tunnel, since a computer with
> 18.104.22.168 as the address does not effectively exist, and any traffic
> (particularly l2tp) I wanted to go through the tunnel, should come from that
hack I once used was to add real ip of firewall as loopback alias with
/32 netmask. But that's ugly hack.
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Users