[Openswan Users] How to configure nat_traversal in /etc/ipsec.conf
Bart Smink
bartsmink at gmail.com
Tue Jan 8 17:06:49 EST 2013
Hi Tony,
I'm not an expert on Openswan, but I do have experience with it. I have
enabled nat_traversal always, and it has never caused me problems. Your
problem seems to occur when you dont have it enabled.
OSX used to have a bug with public ip connections, where it told Openswan
that it was NAT-ed even when this was not true. This can be solved by using
some settings in ipsec.conf.
You need
dpddelay=10
dpdtimeout=90
dpdaction=clear
for the Iphone to work.
I also have this:
ikelifetime=8h
keylife=1h
But I dont know if it is required.
You need this for l2tp tunneling
type=tunnel
compress=no
disablearrivalcheck=no
Not sure about the last two, but I have them enabled.
for l2tp you need:
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
forceencaps=yes
forceencaps is required for IOS, to fix the false statement of the IOS/OSX
client saying that it is NAT-ed. Indeed this is also the case with OSX.
I hope this helps, but do notice that IPsec tunneling is not always easy.
Greetings,
Bart Smink
2013/1/8 <tony.blue.mailinglist at gmx.de>
> Am 06.01.2013 21:28, schrieb tony.blue.mailinglist at gmx.de:
>
> Nobody has an idea or a tip for me?
>
> Thank you!
>
> Tony
>
> ______________________________**_________________
> Users at lists.openswan.org
> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/**product/1904811256/104-**
> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>
--
**** DISCLAIMER ****
"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".
Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130108/a1760b22/attachment.html>
More information about the Users
mailing list