From: Sam Sgro (sam_at_freeswan.org)
Date: Thu Aug 08 2002 - 19:35:46 CEST
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 7 Aug 2002 Sebastian.Beckmann_at_t-online.de wrote:
> Hi there,
>
> I want to connect a roadwarrior with a dial-up-connection to the
> internet to a single server (private IP-adress) through a firewall with
> NAT.
> I initiate the tunnel from the roadwarrior, since the only fixed,
> routable known IP-adress is a.b.c.d.
> My problem is that i get the the "connection established"-message when
> starting the tunnel, but i cannot successfully comunicate between the
> those computers. I am pretty sure this problem is already solved by
> someone, but i am desperate.
(You aren't trying to communicate to 192.168.1.140 directly, right?)
Start by reading:
http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/trouble.html
"connection established" is not FreeS/WAN terminology; you need to provide
at least a snippet from the logs to show the result of a connection attempt.
Briefly enable verbose logging so that you can see how communication is
failing if a connection is properly established. tcpdump can also help you
trace the packet flow.
However, speaking broadly, this setup - IPSec server behind NAT - is difficult
to get working. Given that you gateway box is running Linux, you may find it
simpler to deploy FreeS/WAN on the server itself. You can use
"192.168.1.140/32" as the "leftsubnet" parameter if you only want to allow a
connection to that IP address.
The NAT Traversal patch was created to overcome some of the problems that NAT
creates for IPSec; it works by encapsulating ESP packets in UDP. You can find
it here:
A note about when you don't need to use the "nexthop" parameter:
1) When you've already specified "%defaultroute", for example, "rightnexthop
here:
> ipsec.conf-server:
>
> conn laptop-dmz
> # Left security gateway, subnet behind it, next hop toward
> right.
> left=0.0.0.0
> leftid=@laptop.dummy.de
> #leftnexthop=212.185.124.106
> # Right security gateway, subnet behind it, next hop toward
> left.
> right=%defaultroute
> rightid=@pc.dummy.de
> rightnexthop=192.168.1.1
> auto=add
> keyingtries=1
> rightrsasigkey=0s.....
> leftrsasigkey=0sAQ....
2) When you're referring to the other end of a connection; the "nexthop"
parameter only gets used locally, for example, "rightnexthop" here:
> ----------------------------------------------------------------------------
> ipsec.conf-roadwarrior:
>
> # Left security gateway, subnet behind it, next hop toward
> right.
> left=%defaultroute
> leftid=@laptop.dummy.de
> # Right security gateway, subnet behind it, next hop toward
> left.
> right=a.b.c.d
> rightid=@pc.dummy.de
> rightnexthop=192.168.1.1
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPVKr9EOSC4btEQUtAQF6ngQAvCrEaWRknmnN0qgv5ZBqJM6lXVokvkBm
uOXw8Nc6CiQsqlCVxY40OdheE/BxE9IJCAKGTz3wRaBCTzIeDj2VUqneqybPAEC+
lfgduNwoL99epIbe59va1jy5e6bd78r8PhdbMxschmm5fftogs1wFV7NQKM7tfLC
yktFrBTr0Hg=
=buiz
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Thu Aug 08 2002 - 23:19:41 CEST