[Openswan Users] One-to-one NAT

Paul Wouters pwouters at redhat.com
Tue Feb 21 16:13:02 EST 2012 

On Tue, 21 Feb 2012, Roman Serbski wrote:

> The client side is behind the firewall with one-to-one NAT configured.
>
> The VPN server is powered by Ubuntu 8.04.2 with Openswan
> U2.4.9/K2.6.24-23-server installed from packages.  The server side is
> not NAT'ed.

> Here is an entry for the remote site in ipsec.conf (server side):
>
> ...
> config setup
>
> nat_traversal=yes

> conn L2TP-PSK-NAT-remote-site-01
>       authby=secret
>       auto=start
>       keyingtries=3
>       rekey=yes
>       type=tunnel
>       left=public.ip.of.remote.firewall
>       leftsubnet=192.168.100.0/24
>       leftsourceip=192.168.100.1
>       right=public.ip.of.vpn.server
>       rightsubnet=10.0.0.0/8
>       rightsourceip=private.ip.vpn.server
>
> ipsec.secrets (server side):
> public.ip.of.vpn.server public.ip.of.remote.firewall : PSK "xxxxxxxxxxxxxxxxxxx"
>
> Remote site is powered by Ubuntu 9.10 with Openswan U2.6.22/K2.6.31-22-generic.
>
> ...
> config setup
>
> nat_traversal=yes
>
> conn L2TP-PSK-NAT-remote-site-01
>       authby=secret
>       auto=start
>       type=tunnel
>       rekey=yes
>       left=public.ip.of.remote.vpn # this is actually a private IP behind NAT
>       leftsubnet=192.168.100.0/24
>       leftsourceip=192.168.100.1
>       right=public.ip.of.vpn.server
>       rightsubnet=10.0.0.0/8
>       rightsourceip=private.ip.of.vpn.server
>
> I'm confused here with regards to left part and ipsec.secrets.
>
> If I leave left=public.ip.of.remote.vpn and 'public.ip.of.vpn.server
> public.ip.of.remote.vpn : PSK "xxxxxxxxxxxxxxxxxxx"' in ipsec.secrets
> I receive INVALID_ID_INFORMATION error.
>
> If I put left=public.ip.of.remote.firewall I cannot even start ipsec:
> We cannot identify ourselves with either end of this connection.

I'm a little confused what you have as left and right on both ends.

On the side behind nat, you should use "%defaultroute" as the value for
its own site (eg if it is left, use left=%defaultroute). In
ipsec.secrets, you also specify your end as "%any" or "0.0.0.0", so:

0.0.0.0 public.ip.of.vpn.server: PSK "secret"

On the side behind NAT, you NEVER specify anything with your NAT
router's IP.

On the side with no NAT, you need rekey=no, as you cannot initiate
back to something behind NAT.

Paul

More information about the Users mailing list