[Openswan Users] One-to-one NAT
Paul Wouters
pwouters at redhat.com
Tue Feb 21 16:13:02 EST 2012
On Tue, 21 Feb 2012, Roman Serbski wrote:
> The client side is behind the firewall with one-to-one NAT configured.
>
> The VPN server is powered by Ubuntu 8.04.2 with Openswan
> U2.4.9/K2.6.24-23-server installed from packages. The server side is
> not NAT'ed.
> Here is an entry for the remote site in ipsec.conf (server side):
>
> ...
> config setup
>
> nat_traversal=yes
> conn L2TP-PSK-NAT-remote-site-01
> authby=secret
> auto=start
> keyingtries=3
> rekey=yes
> type=tunnel
> left=public.ip.of.remote.firewall
> leftsubnet=192.168.100.0/24
> leftsourceip=192.168.100.1
> right=public.ip.of.vpn.server
> rightsubnet=10.0.0.0/8
> rightsourceip=private.ip.vpn.server
>
> ipsec.secrets (server side):
> public.ip.of.vpn.server public.ip.of.remote.firewall : PSK "xxxxxxxxxxxxxxxxxxx"
>
> Remote site is powered by Ubuntu 9.10 with Openswan U2.6.22/K2.6.31-22-generic.
>
> ...
> config setup
>
> nat_traversal=yes
>
> conn L2TP-PSK-NAT-remote-site-01
> authby=secret
> auto=start
> type=tunnel
> rekey=yes
> left=public.ip.of.remote.vpn # this is actually a private IP behind NAT
> leftsubnet=192.168.100.0/24
> leftsourceip=192.168.100.1
> right=public.ip.of.vpn.server
> rightsubnet=10.0.0.0/8
> rightsourceip=private.ip.of.vpn.server
>
> I'm confused here with regards to left part and ipsec.secrets.
>
> If I leave left=public.ip.of.remote.vpn and 'public.ip.of.vpn.server
> public.ip.of.remote.vpn : PSK "xxxxxxxxxxxxxxxxxxx"' in ipsec.secrets
> I receive INVALID_ID_INFORMATION error.
>
> If I put left=public.ip.of.remote.firewall I cannot even start ipsec:
> We cannot identify ourselves with either end of this connection.
I'm a little confused what you have as left and right on both ends.
On the side behind nat, you should use "%defaultroute" as the value for
its own site (eg if it is left, use left=%defaultroute). In
ipsec.secrets, you also specify your end as "%any" or "0.0.0.0", so:
0.0.0.0 public.ip.of.vpn.server: PSK "secret"
On the side behind NAT, you NEVER specify anything with your NAT
router's IP.
On the side with no NAT, you need rekey=no, as you cannot initiate
back to something behind NAT.
Paul
More information about the Users
mailing list