[Openswan Users] One-to-one NAT

Roman Serbski mefystofel at gmail.com
Tue Feb 21 10:29:01 EST 2012


Hello list,

Appreciate your advise with the configuration of the VPN with
one-to-one NAT on the client side.

The client side is behind the firewall with one-to-one NAT configured.

The VPN server is powered by Ubuntu 8.04.2 with Openswan
U2.4.9/K2.6.24-23-server installed from packages.  The server side is
not NAT'ed.

Here is an entry for the remote site in ipsec.conf (server side):

...
config setup

nat_traversal=yes

conn L2TP-PSK-NAT-remote-site-01
       authby=secret
       auto=start
       keyingtries=3
       rekey=yes
       type=tunnel
       left=public.ip.of.remote.firewall
       leftsubnet=192.168.100.0/24
       leftsourceip=192.168.100.1
       right=public.ip.of.vpn.server
       rightsubnet=10.0.0.0/8
       rightsourceip=private.ip.vpn.server

ipsec.secrets (server side):
public.ip.of.vpn.server public.ip.of.remote.firewall : PSK "xxxxxxxxxxxxxxxxxxx"

Remote site is powered by Ubuntu 9.10 with Openswan U2.6.22/K2.6.31-22-generic.

...
config setup

nat_traversal=yes

conn L2TP-PSK-NAT-remote-site-01
       authby=secret
       auto=start
       type=tunnel
       rekey=yes
       left=public.ip.of.remote.vpn # this is actually a private IP behind NAT
       leftsubnet=192.168.100.0/24
       leftsourceip=192.168.100.1
       right=public.ip.of.vpn.server
       rightsubnet=10.0.0.0/8
       rightsourceip=private.ip.of.vpn.server

I'm confused here with regards to left part and ipsec.secrets.

If I leave left=public.ip.of.remote.vpn and 'public.ip.of.vpn.server
public.ip.of.remote.vpn : PSK "xxxxxxxxxxxxxxxxxxx"' in ipsec.secrets
I receive INVALID_ID_INFORMATION error.

If I put left=public.ip.of.remote.firewall I cannot even start ipsec:
We cannot identify ourselves with either end of this connection.

Many thanks in advance.


More information about the Users mailing list