[Openswan Users] Clinet behind NAT problem
farajian amin
amin_o_city at yahoo.com
Wed Mar 17 08:38:58 EDT 2010
Dear All ,
I have the following network configuration:
The openswan server has two interfaces.
OpenswanClient ------NAT DEVICE ------------OpenswanServer --------(Openswan Server LAN)
(192.168.0.2) / \ (192.168.1.88) (10.10.10.0/24)
/ \
192.168.0.1 192.168.1.103
The client side config is :
conn test
type=tunnel
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
right=%defaultroute
left=192.168.1.88
leftsubnet=10.10.10.0/24
rightid="C=X,ST=X,... "
leftid="C=Y,ST=Y,... "
rightcert=clientsidecert.pem
auto=add
The server side config is:
conn test
type=tunnel
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftsubnet=10.10.10.0/24
right=%any
leftcert=serversidecert.pem
leftid="C=Y, ST=Y, ..."
rightid="C=X, ST=X, ..."
auto=add
I have nat-traversal=yes on both sides.
When i start the connection i get the following messages:
===============================================
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
pluto[11254]: "test"[1] 192.168.1.103 #1: the peer proposed: 10.10.10.0/24:0/0 -> 192.168.0.2/32:0/0
pluto[11254]: "test"[1] 192.168.1.103 #1: cannot respond to IPsec SA request because no connection is known for 10.10.10.0/24===192.168.1.88[C=Y, ST=Y, ....]...192.168.1.103 [C=X, ST=X,.....]===192.168.0.2/32
pluto[11254]: "road-test"[1] 192.168.1.103 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168
Can anybody help me,
Thanks in advance,
Amin Farajian
More information about the Users
mailing list