[Openswan Users] How to configure nat_traversal in /etc/ipsec.conf

Bart Smink bartsmink at gmail.com
Tue Jan 8 17:06:49 EST 2013


Hi Tony,

I'm not an expert on Openswan, but I do have experience with it. I have
enabled nat_traversal always, and it has never caused me problems. Your
problem seems to occur when you dont have it enabled.

OSX used to have a bug with public ip connections, where it told Openswan
that it was NAT-ed even when this was not true. This can be solved by using
some settings in ipsec.conf.

You need
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
 for the Iphone to work.

I also have this:
        ikelifetime=8h
        keylife=1h

But I dont know if it is required.

You need this for l2tp tunneling
        type=tunnel
        compress=no
        disablearrivalcheck=no

Not sure about the last two, but I have them enabled.

for l2tp you need:
        rightprotoport=17/%any
        rightsubnet=vhost:%priv,%no
        forceencaps=yes

forceencaps is required for IOS, to fix the false statement of the IOS/OSX
client saying that it is NAT-ed. Indeed this is also the case with OSX.

I hope this helps, but do notice that IPsec tunneling is not always easy.

Greetings,

Bart Smink

2013/1/8 <tony.blue.mailinglist at gmx.de>

> Am 06.01.2013 21:28, schrieb tony.blue.mailinglist at gmx.de:
>
> Nobody has an idea or a tip for me?
>
> Thank you!
>
> Tony
>
> ______________________________**_________________
> Users at lists.openswan.org
> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/**product/1904811256/104-**
> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>



-- 
**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130108/a1760b22/attachment.html>


More information about the Users mailing list