[Openswan Users] NAT on both sides

Tue Jan 27 22:52:10 EST 2009

OK, I think I'm really close. Here's my server config:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

include /etc/ipsec.d/*.conf

conn passthrough-for-non-l2tp
        type=passthrough
        left=%defaultroute
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

conn road
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        type=transport

        forceencaps=yes

        left=%defaultroute
        leftprotoport=17/1701

        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any

        auto=add

This configuration *works* with openswan to openswan connections with
both sides NATed. When I try to connect from Vista, I get this:

Jan 27 21:46:24 key pluto[15933]: "road"[2] 68.112.168.88 #1: the peer
proposed: server.nat.public.ip/32:17/1701 -> 192.168.0.3/32:17/0
Jan 27 21:46:24 key pluto[15933]: "road"[2] 68.112.168.88 #1: cannot
respond to IPsec SA request because no connection is known for
server.nat.public.ip/32===192.168.1.2[+S=C]:17/1701...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32

Based on the logs from the working openswan-to-openswan connection, it
seems that the problem is the peer insisting on the public IP. I've
applied the Vista registry fix described at
http://www.jacco2.dds.nl/networking/vista-openswan.html#NAT-T and that
doesn't seem to alter results whatsoever (yes, I did reboot).

Does anyone know what I need to do to get a windows client working?