[Openswan Users] how to use the parameter "virtual_private=" in ipsec.conf?

Paul Wouters paul at xelerance.com
Fri Sep 18 11:53:03 EDT 2009


On Fri, 18 Sep 2009, êð wrote:

> I read the man page of ipsec.conf, but can't understand what the virtual_private is used for?
> Can anybody tell me in what case  I should  use this parameter ? and how to use it?

It is used to "load" the "vhost:%priv" entry. vhost is used with
nat-traversal to indicate which IP ranges are allowed with an nat-t
connection. The way NAT-T works is that a client proposes a connection
that has its non-NAT'ed IP address as part of the proposal. This can
cause problems if the server you are connecting to is using the same
IP range internally. Say your server connects you to 192.168.0.0/24
and your client is on 192.168.0.101/32 behind some public IP a.b.c.d,
then where do packets go for 192.168.0.101? The client or the server?

By adding a rightsubnet=vhost:%priv,%no, you basically ensure that the
IPsec negotiation will fail for any subnet not listed in "%priv", which
is filled with virtual_private=.

There are two possible choices for virtual_private. Either you allow
only all RFC1918 space minus those that you use yourself on the server,
or you allow 0.0.0.0/0 except those ranges used by the server. The
latter can be needed if someone is doing NAT-T without using RFC1918,
such as for example the bullet trains in Japan, or some 3G networks
that do a many-to-one NAT mapping.

Paul


More information about the Users mailing list