[Openswan Users] problem with Clients behind nat
Paul Wouters
paul at xelerance.com
Sun Mar 28 23:43:38 EDT 2010
On Tue, 23 Mar 2010, Maci ... wrote:
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> nat_traversal=yes
> protostack=netkey
Add a proper virtual_private= line (see 'man ipsec.conf)
> conn vpnagenti
> authby=secret
> pfs=no
> type=transport
> auto=add
> left=213.100.100.1
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> keyexchange=ike
> ikelifetime=8h
> keylife=1h
> keyingtries=3
> rekey=no
Add rightsubnet=vhost:%no,%priv
> This configuration works if the clients aren't behind NAT, but they have a pubblic IP.
Yes. see above.
> If the ras operator takes a private IP and then it nats it, I have this message:
>
> 14:30:31.248758 IP 193.247.250.11.time > 213.100.100.1.isakmp: isakmp: phase 1 I ident
> 14:30:31.249830 IP 213.100.100.1 > 193.247.250.11: icmp 348: 213.100.100.1 udp port isakmp unreachable
Don't send us (encrypted) tcpdumps. there is nothing we can do with that.
Paul
More information about the Users
mailing list