[Openswan Users] Ipsec/l2tp server behind nat

Paul Wouters paul at xelerance.com
Wed Sep 17 12:02:09 EDT 2008


On Wed, 17 Sep 2008, Lux wrote:

> My setup is like this (the IPs on the client side may vary, since I'm moving
> from one site to another):
>
>                   NAT-        Internet        NAT-
> Client  --------- device  =================== device -------------+--------
> ... 192.168.0.0/24
> 172.16.0.123     /     \                      /     \             |
>                /       \                    /   192.168.0.254 Openswan
>     172.16.0.254/24  234.234.234.234   12.34.112.177          Server
>                                                             192.168.0.100

Client and server cannot both be on 192.168.0.0/24. To this is a very poor
choice for the openswan server behind nat. (apart from being a bad choice
to not give the openswan machine a real IP - replace the NAT device with
openwrt that does NAT and openswan)

> "roadwarrior-l2tp"[2] 23.45.203.225 #1: cannot respond to IPsec SA request
> because no connection is known for
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...88.61.102.22
> 5[@luxnb.iotti.biz,+S=C]:17/1701===172.16.0.123/32

This does not match the diagram above? It looks like 12.34.112.177/32 is
server's ip ???

> Just for completeness: Strange enough (at least to me), if I insert in the
> conn section the line
>       leftsubnet=12.34.112.177/32

Yes. I dont understand where that is coming from.

Paul


More information about the Users mailing list