[Openswan Users] Ipsec/l2tp server behind nat
Paul Wouters
paul at xelerance.com
Wed Sep 17 12:02:09 EDT 2008
On Wed, 17 Sep 2008, Lux wrote:
> My setup is like this (the IPs on the client side may vary, since I'm moving
> from one site to another):
>
> NAT- Internet NAT-
> Client --------- device =================== device -------------+--------
> ... 192.168.0.0/24
> 172.16.0.123 / \ / \ |
> / \ / 192.168.0.254 Openswan
> 172.16.0.254/24 234.234.234.234 12.34.112.177 Server
> 192.168.0.100
Client and server cannot both be on 192.168.0.0/24. To this is a very poor
choice for the openswan server behind nat. (apart from being a bad choice
to not give the openswan machine a real IP - replace the NAT device with
openwrt that does NAT and openswan)
> "roadwarrior-l2tp"[2] 23.45.203.225 #1: cannot respond to IPsec SA request
> because no connection is known for
> 12.34.112.177/32===192.168.0.100<192.168.0.100>[+S=C]:17/1701...88.61.102.22
> 5[@luxnb.iotti.biz,+S=C]:17/1701===172.16.0.123/32
This does not match the diagram above? It looks like 12.34.112.177/32 is
server's ip ???
> Just for completeness: Strange enough (at least to me), if I insert in the
> conn section the line
> leftsubnet=12.34.112.177/32
Yes. I dont understand where that is coming from.
Paul
More information about the Users
mailing list