[Openswan Users] One-to-one NAT

Roman Serbski mefystofel at gmail.com
Wed Feb 22 04:38:22 EST 2012 

On Tue, Feb 21, 2012 at 10:13 PM, Paul Wouters <pwouters at redhat.com> wrote:
> On Tue, 21 Feb 2012, Roman Serbski wrote:
>
> I'm a little confused what you have as left and right on both ends.
>
> On the side behind nat, you should use "%defaultroute" as the value for
> its own site (eg if it is left, use left=%defaultroute). In
> ipsec.secrets, you also specify your end as "%any" or "0.0.0.0", so:
>
> 0.0.0.0 public.ip.of.vpn.server: PSK "secret"
>
> On the side behind NAT, you NEVER specify anything with your NAT
> router's IP.
>
> On the side with no NAT, you need rekey=no, as you cannot initiate
> back to something behind NAT.
>
> Paul

Hi Paul,

Many thanks for your reply.  Let me try to clarify my setup:

[VPN-SERVER] ----- [INTERNET] ----- [FW-WITH-NAT] ----- [VPN-CLIENT]

VPN-SERVER has two interfaces:
5.6.7.8 (public, static IP with no NAT)
10.20.20.1 (private, facing towards LAN)

FW-WITH-NAT has two interfaces:
1.2.3.4 (public, static IP, with one-to-one NAT configured)
10.10.10.1 (private, facing towards VPN-CLIENT)

VPN-CLIENT has two interfaces:
10.10.10.2 (private, facing towards FW-WITH-NAT)
10.30.30.1 (private, facing towards LAN)

### SERVER SIDE ###

ipsec.conf

config setup

nat_traversal=yes

conn L2TP-PSK-NAT-SITE-01
      authby=secret
      auto=start
      keyingtries=3
      rekey=no # changed it to no, as per your comment
      type=tunnel
      left=1.2.3.4
      leftsubnet=10.30.30.0/24
      leftsourceip=10.30.30.1
      right=5.6.7.8
      rightsubnet=10.0.0.0/8
      rightsourceip=10.20.20.1

ipsec.secrets
5.6.7.8 1.2.3.4 : PSK "xxxxxxxxxxxxxxxxxxx"

### END OF SERVER SIDE ###

### CLIENT SIDE ###

ipsec.conf

config setup

nat_traversal=yes
interfaces=%defaultroute

conn L2TP-PSK-NAT-SITE-01
      authby=secret
      auto=start
      keyingtries=3
      rekey=yes
      type=tunnel
      left=%defaultroute
      leftsubnet=10.30.30.0/24
      leftsourceip=10.30.30.1
      right=5.6.7.8
      rightsubnet=10.0.0.0/8
      rightsourceip=10.20.20.1

If I change left to %defaultroute and restart ipsec I receive: We
cannot identify ourselves with either end of this connection.

ipsec.secrets
How ipsec.secrets should look like on the client?  Normally it is:
5.6.7.8 10.10.10.2 : PSK "xxxxxxxxxxxxxxxxxxx" , but since it differs
from the server side entry I assume that's the reason why I receive
'ignoring informational payload, type INVALID_ID_INFORMATION
msgid=00000000' in the logs?

### END OF CLIENT SIDE ###

Thank you very much.

More information about the Users mailing list