[Openswan Users] Openswan to Openswan (behind a NAT)

Paul Wouters paul at xelerance.com
Mon Sep 21 13:06:01 EDT 2009


On Mon, 21 Sep 2009, JT Edwards wrote:

> conn ait-2-torden-xen
>         type=tunnel
>         aggrmode=no
>         compress=no
>         authby=secret
>         right=22.123.34.56 #Public IP of local Openswan server
>         rightid=22.123.34.56 #Public IP of local Openswan server
>         rightnexthop=22.123.34.1 #Public IP of Gateway front of local Openswan server
>         rightsubnet=192.168.122.0/24 # Subnet on local Openswan server  virbr0
>         rightsourceip=192.168.122.1 # IP address within 192.168.122.0/24 network
>         left=192.168.1.250    #LAN IP of remote Openswan server
>         leftid=12.234.22.224  #Public IP of router in front of Openswan server
>         leftnexthop=12.234.22.1 #Public IP of Gateway of router in front of remote Openswan server
>         leftsubnet=192.168.133.0/24 # Subnet on remote Openswan server  virbr0
>         leftsourceip=192.168.133.1 # IP address within 192.168.133.0/24 network
>         auto=start

If you are behind NAT then you need to specify (assuming your left) left=localip and on the
other side, the "remote end" needs to point to the publicip. Note that this makes the
configuration file assymettrical (and you cannot use the identical conn description on
both ends).

the nexthop and sourceip settings are only relevant locally (they are not exchanged) and
should match the local setup. so a nexthop is really the ip of the default gateway if
you're behind NAT (usually the same as the ip specified as remote on the other end)

Paul


More information about the Users mailing list