[Openswan Users] NAT configuration question ...
Paul Wouters
paul at xelerance.com
Wed Feb 23 00:32:06 EST 2011
On Tue, 22 Feb 2011, Swartz, Patrick H wrote:
> I made the changes according to your suggestion, except swapped right/left because in my setup the RIGHT is behind the NAT.
> diagram --
> LEFT RIGHT
> rhel5gp1 (eth1-172.27.10.2) <router/NAT-T> rhel5secr (eth0-192.168.10.2)
> 1:1 NAT-192.168.10.2:172.27.10.4
If right is behind NAT, then rhel5secr should initiate the connection to 172.27.10.2.
> Red Hat 5.4
> Linux Openswan U2.6.14/K2.6.18-164.el5 (netkey)
I think RHEL has a never openswan then 2.6.14 btw?
> conn rhel5secr-rhel5gp1
> connaddrfamily=ipv4
> type=tunnel
> authby=secret
> left=172.27.10.2
> right=192.168.10.2
Make that right=%any and add:
rightsubnet=vhost:%priv
Now ideally, you want to add IDs too, so that your secrets become easier:
leftid=@rhel5gp1
rightid=@rhel5secr
in ipsec.secrets:
@rhel5gp1 @rhel5secr: PSK "yoursecret"
You will need to add the IDs on the other side as well, and adapt its
ipsec.secrets to use the same identifiers.
Then initiate from right to the left, either using ipsec auto --up rhel5secr-rhel5gp1
or by using auto=add on left and auto=start on right.
Oh, also add rekey=no on the left, you cannot rekey to peers behind nat.
Paul
More information about the Users
mailing list