[Openswan Users] NAT-T and left=%defaultroute
simon.chan3 at yahoo.ca
Mon Sep 26 14:34:41 EDT 2011
Thanks for the quick response. I replace left=%defaultroute with
left=192.168.168.5 and instantly my tunnel was up. No more complain about
"We cannot identify ourselves with either end...".
I am surplise that the public IP does not need to be in the ipsec.conf, at
least not on the local side.
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Simon Chan" <simon.chan3 at yahoo.ca>
Cc: <users at openswan.org>
Sent: Thursday, September 22, 2011 2:58 PM
Subject: Re: [Openswan Users] NAT-T and left=%defaultroute
> On Thu, 22 Sep 2011, Simon Chan wrote:
>> I am trying to learn Openswan, starting with a simple NAT'ed setup.
>> One end is behind a cable modem Nat router. The other end is not Nat'ed.
>> All the examples I can find tell me to use "left=%defaultroute" which
>> works. If I replace %defaultroute with the real public IP or the cable
>> modem's IP (192.168.x.1) then I get error:
>> "We cannot identify ourselves with either end of this connection."
> If you have a static ip behind NAT, you can use left=a.b.c.d
> If you have a dynamic IP, you use left=%defaultroute and openswan will
> the IP that seems to be the one used to communicate to the world based on
> your default route.
>> conn office
> All your 20 connections have different subnets?
> You also need something along the lines of: iptables -I POSTROUTING -s
> 192.168.168.0/24 -d 192.168.40.0/24 -j RETURN
More information about the Users