[Openswan Users] NAT configuration question ...

Swartz, Patrick H Patrick.Swartz at firstdata.com
Tue Feb 22 15:42:39 EST 2011 

My apologies to the list for not clearing the subject line of my last
cry for help...

Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data 
402-777-7337 desk
402-201-1192 Company cell
402-871-8981 Personal cell


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Swartz, Patrick H
Sent: Tuesday, February 22, 2011 2:33 PM
To: users at openswan.org
Subject: Re: [Openswan Users] 2.6.33 fix for compile
failurewithoutUSE_EXTRACRYPTO=true

Hi All,

Was hoping the list would be so kind to help me better understand the
proper configuration when one side is behind a NAT router.

Here is what I have so far (which of course isn't working ...)

(LEFT SIDE)
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.10.0/24    ## Was guessing here,
tried without but no go

conn rhel5secr-rhel5gp1
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        left=172.27.10.2
        right=%any    ## tried using both the NAT addres (172.27.10.4
and the real address (192.168.10.2)
        rightsubnet=vhost:%priv			## Was guessing here,
tried without but no go
        esp=3des
        keyexchange=ike
        pfs=no
        auto=start

ipsec.secrets
172.27.10.2 172.27.10.4: PSK "c78250df64812af440e0"


(RIGHT SIDE)
config setup
        protostack=netkey
        nat_traversal=yes

conn rhel5secr-rhel5gp1
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        left=172.27.10.2
        right=172.27.10.4
        esp=3des
        keyexchange=ike
        pfs=no
        auto=start

ipsec.secrets
172.27.10.2 172.27.10.4: PSK "c78250df64812af440e0"


diagram --
LEFT								RIGHT
rhel5gp1 (eth1 - 172.27.10.2)	<router/NAT-T>	rhel5secr (eth0 -
192.168.10.2)
						1:1 NAT
192.168.10.2:172.27.10.4

Router is a Cisco2811 w/this configuration
interface FastEthernet0
 ip address 172.27.10.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Red Hat 5.4 
Linux Openswan U2.6.14/K2.6.18-164.el5 (netkey)

I'm sure I'm messing up with the right/left configuration, but nothing
I've tried works.  This is a lab POC before we roll out to a larger
environment.

Thank you for any help ya can throw my way!!

Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data 
402-777-7337 desk
402-201-1192 Company cell


-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer. 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list