[Openswan Users] Ipsec/l2tp server behind nat

Paul Wouters paul at xelerance.com
Wed Sep 17 12:02:09 EDT 2008

On Wed, 17 Sep 2008, Lux wrote:

> My setup is like this (the IPs on the client side may vary, since I'm moving
> from one site to another):
>                   NAT-        Internet        NAT-
> Client  --------- device  =================== device -------------+--------
> ...
>     /     \                      /     \             |
>                /       \                    / Openswan
>          Server

Client and server cannot both be on To this is a very poor
choice for the openswan server behind nat. (apart from being a bad choice
to not give the openswan machine a real IP - replace the NAT device with
openwrt that does NAT and openswan)

> "roadwarrior-l2tp"[2] #1: cannot respond to IPsec SA request
> because no connection is known for
> 5[@luxnb.iotti.biz,+S=C]:17/1701===

This does not match the diagram above? It looks like is
server's ip ???

> Just for completeness: Strange enough (at least to me), if I insert in the
> conn section the line
>       leftsubnet=

Yes. I dont understand where that is coming from.


More information about the Users mailing list