[Openswan Users] unable to establish sa, maybe nat-t issue

DA VEH thegenrlftw at gmail.com
Sun Jan 3 15:57:13 EST 2010 

hi,

i am having issues setting up a vpn through routers on both ends.  this has
been working for months on a LAN but now i would like to have remote
capabilities to my parents house.  it might just be a concept problem that
maybe somebody can help me understand why it wont work.

to make this easier, i have a link to a picture of the network:
http://i76.photobucket.com/albums/j24/the_genrl/openswan/HWN_vpn_setup_v1_3jan2009.png

computers "left" and "right" are computers running the same version of
openswan.
Linux Openswan U2.6.22/K2.6.31-14-generic (netkey)

"router a" runs smoothwall express 3.0, has udp ports 500, 4500 forwarded to
"left"
"route b" is just a configurable one-port-in-one-port-out modem, so it kinda
needs to be there.
"router c" runs smoothwall express 3.0, has udp ports 500, 4500 forwarded to
"right"

when configuring ipsec.conf, i noticed "left=" and "right=" would have to be
class c type address and was worried they wouldn't make it through the
internet.

### start ipsec.conf ###

version    2.0    # conforms to second version of ipsec.conf specification

config setup
    nat_traversal=yes
    oe=off
    protostack=netkey
    interfaces=%defaultroute

conn %default
    authby=rsasig

conn test123
    type=tunnel
    left=192.168.1.200
    leftrsasigkey=0sAQOoWg...
    right=192.168.98.200
    rightrsasigkey=0sAQNqp5...
    auto=start

### end ipsec.conf ###

are there configuration parameters to ensure the isakmp messages can be
routed properly through the nat routers on both sides?  i am a stuck with
"if this can work, how will it work?"  maybe if there is a way to let, lets
say, "left" have a the global ip with a specific port(s).  that sounds more
like a router issue though.




please be kind i am relatively new to openswan and using ipsec.

thanks for your time,

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100103/43e15529/attachment.html

More information about the Users mailing list