From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Nov 25 2002 - 05:44:36 CET
-----BEGIN PGP SIGNED MESSAGE-----
If you can't alter the MS side, you might want to try
mimicing the connection as the MS tries to negotiate. (ie, with
"rightsubnet=212.121.121.2/32", though I don't see how that will accomplish
anything.)
I actually think you may be out of luck. Trying to make FreeS/WAN work
behind NAT can be difficult at times; and without a) a NAT-traversal based
client or b) any useful configuration options, I'm not sure what to say,
aside from you get what you pay for. :)
On Sat, 23 Nov 2002, Giorgio Biondi wrote:
> Hi,
>
> you suggest to write a different ipsec.conf for win98 machine, (with
> leftsubnet modified) but the software on win98,
> don't have nothing to make this...I can modify only ipsec.conf on the
> linuxbox side.
> Follow my ipsec.conf
>
>
> #
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=no
>
> conn %default
> keyingtries=0
>
> conn road
> type=tunnel
> keyingtries=1
> left=%any
> rightnexthop=
> right=192.168.252.2
> rightsubnet=10.0.0.0/16
> rightfirewall=yes
> authby=secret
> auto=add
> ~
>
> -----Messaggio originale-----
> Da: Sam Sgro [mailto:sam_at_freeswan.org]
> Inviato: venerd́ 22 novembre 2002 19.55
> A: Giorgio Biondi
> Cc: users_at_lists.freeswan.org
> Oggetto: Re: [Users] VPN with natted vpn server
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On Fri, 22 Nov 2002, Giorgio Biondi wrote:
>
> > Hi,
> >
> > I want create access for road-warrior (win98 with dun V1.4 + msl2tp ipsec
> from M$),
>
> So, you're also running lt2pd on the FreeS/WAN server, right?
>
> If you get this working, please post to the list - I'm certain there are a
> number of people who would be interested in seeing a working example of this
> setup.
>
> > but the real problem is my linux vpn concentrator, his have a natted-ip
> from Fastweb carrier.
>
> Ah, NAT *and* l2tp; sounds like a fun time. ;)
>
> > The scenarios is this:
> >
> > 10.0.0.0/16-->10.0.1.2/16[linux]192.168.252.2-->212.121.121.2(public ip)
> >
> > My road warrior send ipsec packet to 212.121.121.2 but the linux
> >
> > 'see' packet FOR interface 192.168.252.2 and write on log this:
> >
> > Nov 21 10:05:52 fw pluto[9324]: "road"[1] 151.28.38.5 #1: cannot respond
> to IPsec SA request because no connection is known for
> > 212.121.121.2/32===192.168.252.2:17/1701...151.28.38.5:17/1701
> subnet ipsec host roadwarrior
>
>
> Okay, that's not right.
>
> Your setup sees the reverse request from the MS machine; that
> 212.121.121.2/32
> is the subnet, protected by 192.168.252.2/32. The proper setup will define
> the
> reseverse; you will need to define the 192.168.252.2/32 as the subnet
> machine
> in at least one connection allow packets to flow.
>
> This has to be an error on the MS side; perhaps you've misconfigured the
> client.
>
> To deal with the NAT issues you will run into, make connections, with
> different values of "leftsubnet".
>
> leftsubnet=192.168.252.2/32
>
> and the other, with:
>
> leftsubnet=10.0.0.0/16
>
> Just make certain that all the potential values have been covered.
>
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPd59o0OSC4btEQUtAQH+2gP/eZCWO24bCRgn1K/u9sbNoMQmfMQnYD2w
> hp1LP+V9MUscI1XVglw7EUB3xd3F/8BhmuNLeZJLuNhhlSc1zLOzmJzInH+usLUC
> cr1ElxLdZoFiQUkaZuxZ30iCzN6OJmxcLO12AzEza2+5g38TXJvw6WRjZdgEx9qi
> ABkHtMGvnTM=
> =YhZl
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPeGqtUOSC4btEQUtAQFuFgP/SY8v24nLicxNo9H4ajEUGUlJEJdZ8yUo
Bgo6Y21Hir8Ur2TQAAsqCQmeKDgE7zaZSImEpj2aM/Ax3jYQXbixnBs1hSGvoPPM
cr5DpIs9JwbDc/Sem9HNEidcAQ3JFv+KTzjmZfXlzuhSB5P9IHsocioGOqSkRQma
Rn4V6GL0bus=
=JJ3D
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Nov 26 2002 - 05:20:48 CET