[Openswan Users] Peer-to-NAT-to-NAT-to-Peer Configuration Question

Paul Wouters paul at xelerance.com
Thu Sep 18 10:19:27 EDT 2008

On Wed, 17 Sep 2008, Kevin Hall wrote:

> Device-A:eth0 --> NAT_Router-A --> Public <-- NAT_Router-B <-- Device-B:eth0
> -- NAT -- NAT 
> --
> Both Device ipsec.config have 'nat_traversal=yes' set.  

Do they have virtual_private= also set?

> conn deviceA-deviceB-0-0
>      type=tunnel
>      left=
>      leftid=

Since you are using NAT, using the IP as id is bad. Just set it to some custom
string, eg: leftid=@deviceA

> The farthest I have gotten from "ipsec auto --status" output is MI3 sent 
> from Device-A and Device-B waiting on MI3.  From tcpdump I can see that 
> this is up to the first UDP encapsulated packet.  It is received at 
> Device-B but not processed.

Does your kernel have NAT-T support? (is is NETKEY or KLIPS+NAT-T?)

Do you not firewall udp 4500 packets by accident?


More information about the Users mailing list