[Openswan Users] host to host ipsec vpn tunnel through NAT
Michael Chan
mchan49 at gmail.com
Wed Oct 9 20:12:37 UTC 2013
Hi,
This is what I have in my ipsec.conf. This is the config that allowed
me to go pass phase 2 of ike. I've tried other config like setting
nat-traversal on both client and server, but it never did complete phase2.
Client:
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or
"mast".
# For MacOSX use "bsd"
protostack=netkey
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show
confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#plutodebug=none
#klipsdebug=none
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file
at
# an unusual location.
#plutostderrlog=/var/log/pluto.log
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has not been announced via BGP (at least upto
2010-12-21)
nat_traversal=yes
virtual_private=%v4:20.20.0.0/16,%v4:!10.0.0.0/8
conn sample-connection-for-illustration
authby=secret
auto=start
type=transport
left=10.10.0.10
leftsubnet=10.0.0.0/8
right=20.20.20.150
rightsubnet=20.20.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
Server:
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or
"mast".
# For MacOSX use "bsd"
protostack=netkey
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show
confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#plutodebug=none
#klipsdebug=none
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file
at
# an unusual location.
#plutostderrlog=/var/log/pluto.log
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has not been announced via BGP (at least upto
2010-12-21)
#nat_traversal=yes
#virtual_private=%v4:10.10.0.0/16,%v4:!20.20.20.0/24
conn sample-connection-for-illustration
authby=secret
auto=start
type=transport
left=20.20.20.150
leftsubnet=20.20.0.0/16
right=10.10.0.10
rightsubnet=10.10.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
Thanks,
Michael
On Wed, Oct 9, 2013 at 12:40 PM, Neal Murphy <neal.p.murphy at alum.wpi.edu>wrote:
> On Wednesday, October 09, 2013 02:29:06 PM Michael Chan wrote:
> > Hi,
> > I'm trying to setup a vpn connection from my client to server
> through a
> > NAT router, but I'm not getting the connection up. My topology looks like
> > this:
>
> Generally speaking, both sides need to speak NAT_TRAVERSAL and your
> firewall
> must allow UDP port 4500--and maybe port 500--out.
>
> During testing, I have forwarded ports 500 and 4500 to an internal host;
> this
> allowed an external host to initiate a VPN with my internal (NATted) host.
> But
> typically (without such port forwards), the NATted host must initiate the
> VPN
> because the remote cannot.
>
> Post your ipsec.conf if still you have no joy.
>
> N
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131009/2ef9eb75/attachment.html>
More information about the Users
mailing list