[Openswan Users] Peer-to-NAT-to-NAT-to-Peer Configuration Question
Kevin Hall
khall at pt.com
Thu Sep 18 13:57:17 EDT 2008
Woohoo! Thank you very much Paul!
My iptables config was blocking 4500. A little accept incoming to 4500
rule and I've got my connection established. I've also adopted your
other points as well.
I suppose I had "tunnel" vision focusing on just IPSec/ipsec.conf. I
should also read the instructions more closely next time ->
(http://wiki.openswan.org/index.php/Openswan/ConfFirewall).
Sorry for the bother and thanks again!
Paul Wouters wrote:
> On Wed, 17 Sep 2008, Kevin Hall wrote:
>
>
>> Device-A:eth0 --> NAT_Router-A --> Public <-- NAT_Router-B <-- Device-B:eth0
>> 192.168.110.100 -- 192.168.110.1 NAT 172.16.1.251 -- 172.16.1.253 NAT
>> 192.168.130.1 -- 192.168.130.100
>>
>> Both Device ipsec.config have 'nat_traversal=yes' set.
>>
>
> Do they have virtual_private= also set?
>
>
>> conn deviceA-deviceB-0-0
>> type=tunnel
>> left=192.168.110.100
>> leftid=172.16.1.251
>>
>
> Since you are using NAT, using the IP as id is bad. Just set it to some custom
> string, eg: leftid=@deviceA
>
>
>> The farthest I have gotten from "ipsec auto --status" output is MI3 sent
>> from Device-A and Device-B waiting on MI3. From tcpdump I can see that
>> this is up to the first UDP encapsulated packet. It is received at
>> Device-B but not processed.
>>
>
> Does your kernel have NAT-T support? (is is NETKEY or KLIPS+NAT-T?)
>
> Do you not firewall udp 4500 packets by accident?
>
> Paul
>
--
Kevin Hall
Software Engineer
Performance Technologies
khall at pt.com
More information about the Users
mailing list