[Openswan Users] NAT-T and left=%defaultroute
Paul Wouters
paul at xelerance.com
Thu Sep 22 17:58:56 EDT 2011
On Thu, 22 Sep 2011, Simon Chan wrote:
> I am trying to learn Openswan, starting with a simple NAT'ed setup.
> One end is behind a cable modem Nat router. The other end is not Nat'ed.
> All the examples I can find tell me to use "left=%defaultroute" which works. If I replace %defaultroute with the real public IP or the cable
> modem's IP (192.168.x.1) then I get error:
> "We cannot identify ourselves with either end of this connection."
If you have a static ip behind NAT, you can use left=a.b.c.d
If you have a dynamic IP, you use left=%defaultroute and openswan will pick
the IP that seems to be the one used to communicate to the world based on
your default route.
> conn office
> authby=secret
> left=%defaultroute
> leftid=192.168.168.5
> leftsourceip=192.168.168.5
> leftsubnet=192.168.168.0/24
All your 20 connections have different subnets?
> right=216.x.x.x
> rightsubnet=192.168.40.0/24
> auto=route
auto=start
You also need something along the lines of: iptables -I POSTROUTING -s 192.168.168.0/24 -d 192.168.40.0/24 -j RETURN
Paul
More information about the Users
mailing list