[Openswan Users] NAT-T and left=%defaultroute

Simon Chan simon.chan3 at yahoo.ca
Mon Sep 26 14:34:41 EDT 2011


Hi Paul,

Thanks for the quick response. I replace left=%defaultroute with 
left=192.168.168.5 and instantly my tunnel was up. No more complain about 
"We cannot identify ourselves with either end...".
I am surplise that the public IP does not need to be in the ipsec.conf, at 
least not on the local side.

Thanks again.
SC

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Simon Chan" <simon.chan3 at yahoo.ca>
Cc: <users at openswan.org>
Sent: Thursday, September 22, 2011 2:58 PM
Subject: Re: [Openswan Users] NAT-T and left=%defaultroute


> On Thu, 22 Sep 2011, Simon Chan wrote:
>
>> I am trying to learn Openswan, starting with a simple NAT'ed setup.
>> One end is behind a cable modem Nat router. The other end is not Nat'ed.
>> All the examples I can find tell me to use "left=%defaultroute" which 
>> works. If I replace %defaultroute with the real public IP or the cable
>> modem's IP (192.168.x.1) then I get error:
>> "We cannot identify ourselves with either end of this connection."
>
> If you have a static ip behind NAT, you can use left=a.b.c.d
> If you have a dynamic IP, you use left=%defaultroute and openswan will 
> pick
> the IP that seems to be the one used to communicate to the world based on
> your default route.
>
>> conn office
>> authby=secret
>> left=%defaultroute
>> leftid=192.168.168.5
>> leftsourceip=192.168.168.5
>> leftsubnet=192.168.168.0/24
>
> All your 20 connections have different subnets?
>
>> right=216.x.x.x
>> rightsubnet=192.168.40.0/24
>> auto=route
>
> auto=start
>
> You also need something along the lines of: iptables -I POSTROUTING -s 
> 192.168.168.0/24 -d 192.168.40.0/24 -j RETURN
>
> Paul 



More information about the Users mailing list