[Openswan Users] NAT on both sides

andrew colin andrew.colin at gmail.com
Wed Jan 28 01:36:43 EST 2009 

Please let me know if you get it working with a windows client.

On Wed, Jan 28, 2009 at 5:52 AM, Andy Theuninck <gohanman at gmail.com> wrote:
> OK, I think I'm really close. Here's my server config:
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>        protostack=netkey
>        nat_traversal=yes
>        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>
> include /etc/ipsec.d/*.conf
>
> conn passthrough-for-non-l2tp
>        type=passthrough
>        left=%defaultroute
>        right=0.0.0.0
>        rightsubnet=0.0.0.0/0
>        auto=route
>
> conn road
>        authby=secret
>        pfs=no
>        rekey=no
>        keyingtries=3
>        type=transport
>
>        forceencaps=yes
>
>        left=%defaultroute
>        leftprotoport=17/1701
>
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        rightprotoport=17/%any
>
>        auto=add
>
> This configuration *works* with openswan to openswan connections with
> both sides NATed. When I try to connect from Vista, I get this:
>
> Jan 27 21:46:24 key pluto[15933]: "road"[2] 68.112.168.88 #1: the peer
> proposed: server.nat.public.ip/32:17/1701 -> 192.168.0.3/32:17/0
> Jan 27 21:46:24 key pluto[15933]: "road"[2] 68.112.168.88 #1: cannot
> respond to IPsec SA request because no connection is known for
> server.nat.public.ip/32===192.168.1.2[+S=C]:17/1701...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32
>
> Based on the logs from the working openswan-to-openswan connection, it
> seems that the problem is the peer insisting on the public IP. I've
> applied the Vista registry fix described at
> http://www.jacco2.dds.nl/networking/vista-openswan.html#NAT-T and that
> doesn't seem to alter results whatsoever (yes, I did reboot).
>
> Does anyone know what I need to do to get a windows client working?
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



-- 
"Dru"
To follow the path, look to the master, follow the master, walk with
the master, see through the master, become the master. (zen)
http://www.topdog.za.net/

More information about the Users mailing list