[Openswan Users] Peer-to-NAT-to-NAT-to-Peer Configuration Question
Paul Wouters
paul at xelerance.com
Thu Sep 18 10:19:27 EDT 2008
On Wed, 17 Sep 2008, Kevin Hall wrote:
> Device-A:eth0 --> NAT_Router-A --> Public <-- NAT_Router-B <-- Device-B:eth0
> 192.168.110.100 -- 192.168.110.1 NAT 172.16.1.251 -- 172.16.1.253 NAT
> 192.168.130.1 -- 192.168.130.100
>
> Both Device ipsec.config have 'nat_traversal=yes' set.
Do they have virtual_private= also set?
> conn deviceA-deviceB-0-0
> type=tunnel
> left=192.168.110.100
> leftid=172.16.1.251
Since you are using NAT, using the IP as id is bad. Just set it to some custom
string, eg: leftid=@deviceA
> The farthest I have gotten from "ipsec auto --status" output is MI3 sent
> from Device-A and Device-B waiting on MI3. From tcpdump I can see that
> this is up to the first UDP encapsulated packet. It is received at
> Device-B but not processed.
Does your kernel have NAT-T support? (is is NETKEY or KLIPS+NAT-T?)
Do you not firewall udp 4500 packets by accident?
Paul
More information about the Users
mailing list