[Openswan Users] Double NAT disconnects after 40+ hours

Kit Peters cpeters at ucmo.edu
Thu Aug 30 12:08:21 EDT 2012


Well, I tried that, and I got ~30 hours out of my last connection.  Any
other thoughts?

KP

On Mon, Aug 27, 2012 at 1:53 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 27 Aug 2012, Kit Peters wrote:
>
>  I have a double NAT setup, and I'm trying to bridge two sides - a local
>> and a remote - of the same subnet via Openswan and Proxy ARP.
>>  Yes, it's goofy. :)
>> Here's a rough diagram of the setup:
>>
>> [ local network ] -> [ local openswan ] -> campus network NAT -> Internet
>> Internet -> [ remote openswan / firewall ] -> remote network NAT -> [
>> remote network ]
>>
>
> Interesting, though I guess you won't see broadcast traffic on that
> segment if "local network" and "remote network" have the same ip range.
>
>
>  I can get everything to work, and with Proxy ARP, I can establish
>> communication between the local and remote networks.  However, I lose
>> my connection after some time - most recently it lasted 45 hours.
>>
>
> Try adding
>
>         dpdaction=restart_bypeer
>         dpdtimeout=30
>         dpddelay=3
>
> to both client and server side to make it automatically restart.
>
>
>  config setup
>>         protostack=netkey
>>
>> conn L2TP-PSK-CLIENT
>>         authby=secret
>>         pfs=no
>>         rekey=yes
>>         keyingtries=3
>>         type=transport
>>         left=%defaultroute
>>         leftprotoport=17/1701
>>         right=X.X.19.22
>>         rightprotoport=17/1701
>>         auto=add
>>
>> remote ipsec.conf:
>>
>> config setup
>>     oe=off
>>     protostack=netkey
>>     nat_traversal=yes
>>
>> conn L2TP-PSK-NAT
>>     rightsubnet=vhost:%no
>>     also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>>     authby=secret
>>     pfs=no
>>     auto=add
>>     keyingtries=3
>>     rekey=no
>>     ikelifetime=8h
>>     keylife=1h
>>     type=transport
>>     left=X.X.19.22
>>     leftprotoport=17/1701
>>     right=%any
>>     rightprotoport=17/%any
>>
>
> Oh, you are actually using udp/1701 (L2TP) ??
>
> Paul
>



-- 
-
Kit Peters (W0KEH), Engineer II
KMOS TV Channel 6 / KTBG 90.9 FM
University of Central Missouri
http://kmos.org/ | http://ktbg.fm/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120830/b8e132a7/attachment.html>


More information about the Users mailing list