[Openswan Users] NAT-T and left=%defaultroute

Simon Chan simon.chan3 at yahoo.ca
Mon Sep 26 14:34:41 EDT 2011

Hi Paul,

Thanks for the quick response. I replace left=%defaultroute with 
left= and instantly my tunnel was up. No more complain about 
"We cannot identify ourselves with either end...".
I am surplise that the public IP does not need to be in the ipsec.conf, at 
least not on the local side.

Thanks again.

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Simon Chan" <simon.chan3 at yahoo.ca>
Cc: <users at openswan.org>
Sent: Thursday, September 22, 2011 2:58 PM
Subject: Re: [Openswan Users] NAT-T and left=%defaultroute

> On Thu, 22 Sep 2011, Simon Chan wrote:
>> I am trying to learn Openswan, starting with a simple NAT'ed setup.
>> One end is behind a cable modem Nat router. The other end is not Nat'ed.
>> All the examples I can find tell me to use "left=%defaultroute" which 
>> works. If I replace %defaultroute with the real public IP or the cable
>> modem's IP (192.168.x.1) then I get error:
>> "We cannot identify ourselves with either end of this connection."
> If you have a static ip behind NAT, you can use left=a.b.c.d
> If you have a dynamic IP, you use left=%defaultroute and openswan will 
> pick
> the IP that seems to be the one used to communicate to the world based on
> your default route.
>> conn office
>> authby=secret
>> left=%defaultroute
>> leftid=
>> leftsourceip=
>> leftsubnet=
> All your 20 connections have different subnets?
>> right=216.x.x.x
>> rightsubnet=
>> auto=route
> auto=start
> You also need something along the lines of: iptables -I POSTROUTING -s 
> -d -j RETURN
> Paul 

More information about the Users mailing list