[Openswan Users] One-to-one NAT
mefystofel at gmail.com
Wed Feb 22 04:38:22 EST 2012
On Tue, Feb 21, 2012 at 10:13 PM, Paul Wouters <pwouters at redhat.com> wrote:
> On Tue, 21 Feb 2012, Roman Serbski wrote:
> I'm a little confused what you have as left and right on both ends.
> On the side behind nat, you should use "%defaultroute" as the value for
> its own site (eg if it is left, use left=%defaultroute). In
> ipsec.secrets, you also specify your end as "%any" or "0.0.0.0", so:
> 0.0.0.0 public.ip.of.vpn.server: PSK "secret"
> On the side behind NAT, you NEVER specify anything with your NAT
> router's IP.
> On the side with no NAT, you need rekey=no, as you cannot initiate
> back to something behind NAT.
Many thanks for your reply. Let me try to clarify my setup:
[VPN-SERVER] ----- [INTERNET] ----- [FW-WITH-NAT] ----- [VPN-CLIENT]
VPN-SERVER has two interfaces:
22.214.171.124 (public, static IP with no NAT)
10.20.20.1 (private, facing towards LAN)
FW-WITH-NAT has two interfaces:
126.96.36.199 (public, static IP, with one-to-one NAT configured)
10.10.10.1 (private, facing towards VPN-CLIENT)
VPN-CLIENT has two interfaces:
10.10.10.2 (private, facing towards FW-WITH-NAT)
10.30.30.1 (private, facing towards LAN)
### SERVER SIDE ###
rekey=no # changed it to no, as per your comment
188.8.131.52 184.108.40.206 : PSK "xxxxxxxxxxxxxxxxxxx"
### END OF SERVER SIDE ###
### CLIENT SIDE ###
If I change left to %defaultroute and restart ipsec I receive: We
cannot identify ourselves with either end of this connection.
How ipsec.secrets should look like on the client? Normally it is:
220.127.116.11 10.10.10.2 : PSK "xxxxxxxxxxxxxxxxxxx" , but since it differs
from the server side entry I assume that's the reason why I receive
'ignoring informational payload, type INVALID_ID_INFORMATION
msgid=00000000' in the logs?
### END OF CLIENT SIDE ###
Thank you very much.
More information about the Users