[Openswan Users] One-to-one NAT
Paul Wouters
pwouters at redhat.com
Wed Feb 22 13:08:32 EST 2012
On Wed, 22 Feb 2012, Roman Serbski wrote:
> Many thanks for your reply. Let me try to clarify my setup:
>
> [VPN-SERVER] ----- [INTERNET] ----- [FW-WITH-NAT] ----- [VPN-CLIENT]
>
> VPN-SERVER has two interfaces:
> 5.6.7.8 (public, static IP with no NAT)
> 10.20.20.1 (private, facing towards LAN)
>
> FW-WITH-NAT has two interfaces:
> 1.2.3.4 (public, static IP, with one-to-one NAT configured)
> 10.10.10.1 (private, facing towards VPN-CLIENT)
>
> VPN-CLIENT has two interfaces:
> 10.10.10.2 (private, facing towards FW-WITH-NAT)
> 10.30.30.1 (private, facing towards LAN)
> ### SERVER SIDE ###
Looks good.
> ### CLIENT SIDE ###
>
> ipsec.conf
>
> config setup
>
> nat_traversal=yes
> interfaces=%defaultroute
>
> conn L2TP-PSK-NAT-SITE-01
> authby=secret
> auto=start
> keyingtries=3
> rekey=yes
> type=tunnel
> left=%defaultroute
Use left=10.10.10.2
> leftsubnet=10.30.30.0/24
> leftsourceip=10.30.30.1
> right=5.6.7.8
> rightsubnet=10.0.0.0/8
> rightsourceip=10.20.20.1
>
> If I change left to %defaultroute and restart ipsec I receive: We
> cannot identify ourselves with either end of this connection.
>
> ipsec.secrets
> How ipsec.secrets should look like on the client? Normally it is:
> 5.6.7.8 10.10.10.2 : PSK "xxxxxxxxxxxxxxxxxxx" , but since it differs
> from the server side entry I assume that's the reason why I receive
> 'ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000' in the logs?
10.10.10.2 5.6.7.8: PSK "xxxxxx"
Paul
More information about the Users
mailing list