[Openswan Users] One-to-one NAT
Roman Serbski
mefystofel at gmail.com
Wed Feb 22 04:38:22 EST 2012
On Tue, Feb 21, 2012 at 10:13 PM, Paul Wouters <pwouters at redhat.com> wrote:
> On Tue, 21 Feb 2012, Roman Serbski wrote:
>
> I'm a little confused what you have as left and right on both ends.
>
> On the side behind nat, you should use "%defaultroute" as the value for
> its own site (eg if it is left, use left=%defaultroute). In
> ipsec.secrets, you also specify your end as "%any" or "0.0.0.0", so:
>
> 0.0.0.0 public.ip.of.vpn.server: PSK "secret"
>
> On the side behind NAT, you NEVER specify anything with your NAT
> router's IP.
>
> On the side with no NAT, you need rekey=no, as you cannot initiate
> back to something behind NAT.
>
> Paul
Hi Paul,
Many thanks for your reply. Let me try to clarify my setup:
[VPN-SERVER] ----- [INTERNET] ----- [FW-WITH-NAT] ----- [VPN-CLIENT]
VPN-SERVER has two interfaces:
5.6.7.8 (public, static IP with no NAT)
10.20.20.1 (private, facing towards LAN)
FW-WITH-NAT has two interfaces:
1.2.3.4 (public, static IP, with one-to-one NAT configured)
10.10.10.1 (private, facing towards VPN-CLIENT)
VPN-CLIENT has two interfaces:
10.10.10.2 (private, facing towards FW-WITH-NAT)
10.30.30.1 (private, facing towards LAN)
### SERVER SIDE ###
ipsec.conf
config setup
nat_traversal=yes
conn L2TP-PSK-NAT-SITE-01
authby=secret
auto=start
keyingtries=3
rekey=no # changed it to no, as per your comment
type=tunnel
left=1.2.3.4
leftsubnet=10.30.30.0/24
leftsourceip=10.30.30.1
right=5.6.7.8
rightsubnet=10.0.0.0/8
rightsourceip=10.20.20.1
ipsec.secrets
5.6.7.8 1.2.3.4 : PSK "xxxxxxxxxxxxxxxxxxx"
### END OF SERVER SIDE ###
### CLIENT SIDE ###
ipsec.conf
config setup
nat_traversal=yes
interfaces=%defaultroute
conn L2TP-PSK-NAT-SITE-01
authby=secret
auto=start
keyingtries=3
rekey=yes
type=tunnel
left=%defaultroute
leftsubnet=10.30.30.0/24
leftsourceip=10.30.30.1
right=5.6.7.8
rightsubnet=10.0.0.0/8
rightsourceip=10.20.20.1
If I change left to %defaultroute and restart ipsec I receive: We
cannot identify ourselves with either end of this connection.
ipsec.secrets
How ipsec.secrets should look like on the client? Normally it is:
5.6.7.8 10.10.10.2 : PSK "xxxxxxxxxxxxxxxxxxx" , but since it differs
from the server side entry I assume that's the reason why I receive
'ignoring informational payload, type INVALID_ID_INFORMATION
msgid=00000000' in the logs?
### END OF CLIENT SIDE ###
Thank you very much.
More information about the Users
mailing list