[Openswan Users] problem with Clients behind nat

Maci ... godmaci at hotmail.it
Tue Mar 23 12:03:14 EDT 2010 

Hi, this is my situation: I have a lot of laptops that have to connect at the same time from different countries to my network. Some ras operators (for example vodafone IT) give them a pubblic IP, other (swisscom CH) give them a natted IP.

 

 

|LAPTOP| -- ras connection --> IP ADDR assigned 10.141.179.32  |

                                                                                         |

                                                                                         | -- IP ADDR natted 193.247.250.11 --> |L2TP/IPSEC SERVER (213.100.100.1)|

|LAPTOP| -- ras connection --> IP ADDR assigned 10.141.179.43  |

 

 

----------------------------------------------------------------------------------------

My configuration is:

 

version 2.0     # conforms to second version of ipsec.conf specification

config setup
  interfaces=%defaultroute
  klipsdebug=none
  plutodebug=none
  nat_traversal=yes
  protostack=netkey

 

conn vpnagenti
  authby=secret
  pfs=no
  type=transport
  auto=add
  left=213.100.100.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/1701
  keyexchange=ike
  ikelifetime=8h
  keylife=1h
  keyingtries=3
  rekey=no


include /etc/ipsec.d/*.conf
include /etc/ipsec.d/examples/no_oe.conf
--------------------------------------------------------------------------------------

 

This configuration works if the clients aren't behind NAT, but they have a pubblic IP.

 

If the ras operator takes a private IP and then it nats it, I have this message:

 

14:30:31.248758 IP 193.247.250.11.time > 213.100.100.1.isakmp: isakmp: phase 1 I ident
14:30:31.249830 IP 213.100.100.1 > 193.247.250.11: icmp 348: 213.100.100.1 udp port isakmp unreachable
14:30:31.651442 IP 193.247.250.11.time > 213.100.100.1.isakmp: isakmp: phase 1 I ident
14:30:31.651681 IP 213.100.100.1 > 193.247.250.11: icmp 348: 213.100.100.1 udp port isakmp unreachable
14:30:32.615081 IP 193.247.250.11.time > 213.100.100.1.isakmp: isakmp: phase 1 I ident
14:30:32.615128 IP 213.100.100.1 > 193.247.250.11: icmp 348: 213.100.100.1 udp port isakmp unreachable


Could you help me?

Thanks


Massimiliano
 		 	   		  
_________________________________________________________________
Più spazio per le tue esigenze. Hotmail va oltre i 5GB
http://www.windowslive.it/hotmail/SpazioDisponibile.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100323/cffbafed/attachment.html

More information about the Users mailing list