[Openswan Users] virtual_private syntax error???

[DeShawn]

I have a working OpenSWAN 2.6.20 installed. I can connect roadwarriors that have a public ip (no NAT) using x509 certificates. My next step is getting NAT-T working.

I'm using OpenSWAN 2.6.20, Kernel 2.6.28 (vanilla), and NETKEY.
I have the private networks 192.168.231.0/24 and 172.16.1.0/24 on my router.

In my /etc/ipsec.conf, I specified the following...

config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.231.1/24,%v4:!172.16.1.0/24


"ipsec setup start" start ipsec well enough, however I can't connect my roadwarriors from behind a NAT. After some investigation, I found 
[ ~ ]# ipsec auto status
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 2 subnets: 192.168.231.0/24, 172.16.1.0/24
000 WARNING: Either virtual_private= was not specified, or there was a syntax 
000          error in that line. 'left/rightsubnet=%priv' will not work!
 
And sure enough, when I entered

        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        rightrsasigkey=%cert

"ipsec setup start" failed to start ipsec correctly

A syntax error??? I don't get if, I copy and pasted the line straight from the man page and various examples from accross the internet. I even tried just the IETF defined private networks and removing the v from %v4 for %4.

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
virtual_private=%4:10.0.0.0/8,%4:172.16.0.0/12,%4:192.168.0.0/16

But I still get the "WARNING: Either virtual_private= was not specified, or there was a syntax error in that line. 'left/rightsubnet=%priv' will not work!" error from "ipsec auto status", and if I include "rightsubnet=vhost:%no,%priv", IPSec fails to start.


What is the syntax error? What am I doing wrong??