[Openswan Users] One-to-one NAT

Paul Wouters pwouters at redhat.com
Wed Feb 22 13:08:32 EST 2012


On Wed, 22 Feb 2012, Roman Serbski wrote:

> Many thanks for your reply.  Let me try to clarify my setup:
>
> [VPN-SERVER] ----- [INTERNET] ----- [FW-WITH-NAT] ----- [VPN-CLIENT]
>
> VPN-SERVER has two interfaces:
> 5.6.7.8 (public, static IP with no NAT)
> 10.20.20.1 (private, facing towards LAN)
>
> FW-WITH-NAT has two interfaces:
> 1.2.3.4 (public, static IP, with one-to-one NAT configured)
> 10.10.10.1 (private, facing towards VPN-CLIENT)
>
> VPN-CLIENT has two interfaces:
> 10.10.10.2 (private, facing towards FW-WITH-NAT)
> 10.30.30.1 (private, facing towards LAN)

> ### SERVER SIDE ###

Looks good.

> ### CLIENT SIDE ###
>
> ipsec.conf
>
> config setup
>
> nat_traversal=yes
> interfaces=%defaultroute
>
> conn L2TP-PSK-NAT-SITE-01
>      authby=secret
>      auto=start
>      keyingtries=3
>      rekey=yes
>      type=tunnel
>      left=%defaultroute

Use left=10.10.10.2

>      leftsubnet=10.30.30.0/24
>      leftsourceip=10.30.30.1
>      right=5.6.7.8
>      rightsubnet=10.0.0.0/8
>      rightsourceip=10.20.20.1
>
> If I change left to %defaultroute and restart ipsec I receive: We
> cannot identify ourselves with either end of this connection.
>
> ipsec.secrets
> How ipsec.secrets should look like on the client?  Normally it is:
> 5.6.7.8 10.10.10.2 : PSK "xxxxxxxxxxxxxxxxxxx" , but since it differs
> from the server side entry I assume that's the reason why I receive
> 'ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000' in the logs?

10.10.10.2 5.6.7.8: PSK "xxxxxx"

Paul


More information about the Users mailing list