[Openswan Users] both are NATed: xp vs vista
Eray Aslan
eray.aslan at caf.com.tr
Tue Nov 17 08:20:14 EST 2009
On 17.11.2009 14:50, Marc Fisher wrote:
> hi,
> I see you were able to connect NATed windows client to openswan with
> NETKEY, I've been trying to do this for weeks.
> Could you please provide some details on how you managed to do this
> (preferably config)? Are you using certs or psk?
x509 certs. Only CN is different in the certificates. Please note that
this is openswan 2.4.15. I believe you need 2.6.24rcX to connect natted
windows clients to openswan server in the openswan-2.6 branch. Anyway:
/etc/ipsec/ipsec.conf:
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
nhelpers=0
conn l2tp-X.509-outside
authby=rsasig
pfs=no
auto=add
rekey=no
left=your.ip.add.ress
leftrsasigkey=%cert
leftcert=/etc/ipsec/ipsec.d/certs/mycert.pem
leftprotoport=17/1701
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
Also check /etc/ipsec.d/examples.
--
Eray
> Thanks,
> Marc
>
> Eray Aslan wrote:
>> Hi,
>>
>> We have a server connecting roadwarriors to HQ via openswan. Server has
>> 2 connections to outside world. One connection is direct and the other
>> is behind NAT. Roadwarriors are almost always behind NAT.
>>
>> Vista clients can establish SA to both connections with no problems. XP
>> clients can only connect to the conn of the direct connection but not
>> to the connection behind NAT.
>>
>> openswan 2.4.15 using netkey
>> kernel 2.6.30
>>
>> Any pointers? To recap: XP cannot connect to server behind NAT but Vista
>> can.
>>
>> Scheduling maintenance for trying 2.6.24rc2 is difficult but I can try
>> if it is a known problem.
>>
>>
More information about the Users
mailing list