[Openswan Users] NAT configuration question ...

Paul Wouters paul at xelerance.com
Wed Feb 23 00:32:06 EST 2011


On Tue, 22 Feb 2011, Swartz, Patrick H wrote:

> I made the changes according to your suggestion, except swapped right/left because in my setup the RIGHT is behind the NAT.
> diagram --
> LEFT								RIGHT
> rhel5gp1 (eth1-172.27.10.2)	<router/NAT-T>	rhel5secr (eth0-192.168.10.2)
> 						1:1 NAT-192.168.10.2:172.27.10.4

If right is behind NAT, then rhel5secr should initiate the connection to 172.27.10.2.

> Red Hat 5.4
> Linux Openswan U2.6.14/K2.6.18-164.el5 (netkey)

I think RHEL has a never openswan then 2.6.14 btw?

> conn rhel5secr-rhel5gp1
>        connaddrfamily=ipv4
>        type=tunnel
>        authby=secret
>        left=172.27.10.2
>        right=192.168.10.2

Make that right=%any and add:
 	rightsubnet=vhost:%priv

Now ideally, you want to add IDs too, so that your secrets become easier:

 	leftid=@rhel5gp1
 	rightid=@rhel5secr

in ipsec.secrets:

@rhel5gp1 @rhel5secr: PSK "yoursecret"

You will need to add the IDs on the other side as well, and adapt its
ipsec.secrets to use the same identifiers.

Then initiate from right to the left, either using ipsec auto --up rhel5secr-rhel5gp1
or by using auto=add on left and auto=start on right.

Oh, also add rekey=no on the left, you cannot rekey to peers behind nat.

Paul


More information about the Users mailing list