From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Nov 26 2002 - 12:13:11 CET
For VPN clients behind a NAT box use Mathieu Lafon's NAT traversal patch
which is integrated into Super-FreeS/WAN available from
I think you will also find a howto on how to set up NAT traversal
there.
Regards
Andreas
Mark van Proctor wrote:
> Thanks again Andreas!
> You really are a great help!
>
> Another problem that has just arrisen is how to implement a vpn client
> behind a nat.
> I've tried looking through the documentation for this because I'm sure its a
> common issue, but can't seem to find an actual explanation of how to set it
> up.
> My server is currently also behind NAT but that was easy, on the client side
> you simply use the public IP as the address and the private subnet as the
> subnet.
> I would like to know, however, how to allow a client behind nat. Because
> these clients are road warriors and because they are accessing the internet
> through DSL-type connections that have dynamic ips and nat / port forwarding
> built into the router i am getting totally stuck. This means very little
> configurability - can forward ports, but not much else.
> Does this mean I need to use the "tunnel through UDP" or whatever it was,
> patch?
> Does this affect EVERY connection? What if i want other connections to be
> done normally, and only maybe 1 to be done tunnelled through UDP?
> Any ideas would be greatly appreciated thanks!!
> Mark
>
>
> ----- Original Message -----
> From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
> To: "Mark van Proctor" <mark_at_metech.com.au>
> Cc: <users_at_lists.freeswan.org>
> Sent: Tuesday, November 26, 2002 4:56 PM
> Subject: Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not
> established)
>
>
>
>>Mark van Proctor wrote:
>>
>>>Thanks Andreas,
>>>I actually found the problem in the end - After upgrading the server I
>>
> had
>
>>>remade its Authentication certificate differently and the "subject" was
>>>different for my windows ipsec.conf.
>>>This upgrade to redhat 8 and freeswan 1.99 also rectified my winXP
>>
> problems.
>
>>>I do, however, have a quick openSSL query which I understand if you cant
>>
> (or
>
>>>dont have time to) answer but thought I would ask anyway while I am
>>
> emailing
>
>>>you - how do you revoke a certificate and add it to the CRL?
>>>
>>
>> Revocation: openssl ca -revoke badCert.pem
>>
>> Update CRL: openssl ca -gencrl -out crl.pem
>>
>> PEM to binary: openssl crl -in crl.pem -outform der -out cert.crl
>>
>>
>>Regards
>>
>>Andreas
>>
>>
>>>Thanks!!
>>>
>>>Mark
>>>
>>>----- Original Message -----
>>>From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
>>>To: "Mark van Proctor" <mark_at_metech.com.au>
>>>Cc: <users_at_lists.freeswan.org>
>>>Sent: Monday, November 25, 2002 11:25 PM
>>>Subject: Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not
>>>established)
>>>
>>>
>>>
>>>
>>>>Mark van Proctor wrote:
>>>>
>>>>
>>>>>Hi people.
>>>>>I have seen a number of people emailing requests for help with ISAKMP
>>>>
> SA
>
>>>not
>>>
>>>
>>>>>establishing correctly
>>>>>The actual error being: "encrypted Informational Exchange message is
>>>>
>>>invalid
>>>
>>>
>>>>>because it is for incomplete ISAKMP SA"
>>>>>I have, however, seen absolutely no responses or instructions on how to
>>>>>resolve this.
>>>>
>>>>This notification message is always a sure sign that a problem occurred
>>>
> on
>
>>>>the peer side (in your case Wk2). Usually this a certificate or private
>>>
>>>key
>>>
>>>
>>>>problem. Please activate the oakley.log via the Windows registry and
>>>
> look
>
>>>>for errors.
>>>>
>>>>
>>>>
>>>>>Please could someone help?
>>>>>I am using Win2K with the ipsec tool created by Marcus. I am using
>>>>
>>>RedHat
>>>
>>>
>>>>>8.0 with FreeSWAN 1.99 installed via pre-patched RPM from
>>>>
>>>www.freeswan.ca
>>>
>>>
>>>>>I used to use 1.97 on RedHat 7.3 and the connection worked. After
>>>>
>>>upgrading,
>>>
>>>
>>>>>I had to create new x509 certificates and now nothing works. I dont
>>>>
> know
>
>>>if
>>>
>>>
>>>>>it is the x509 certificates or what, because nothing has changed on the
>>>>>Win2k side (it used to work...).
>>>>>Please help,
>>>>>thanks.
>>>>>
>>>>>Mark
>>>>>
>>>>>Mark van Proctor
>>>>>Systems Administrator
>>>>>Metech Pty Ltd
>>>>>24 Moreau Mews
>>>>>Applecross WA 6153
>>>>>Ph: 9316 6600
>>>>>Fax: 9316 6699
>>>>>Mobile: 0411 749 282
>>>>>mark_at_metech.com.au
>>>>
>>======================================================================
>>Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
>>strongSec GmbH phone: +41 76 340 25 56
>>Alter Zürichweg 20 home: http://www.strongsec.com
>>CH-8952 Schlieren (Switzerland)
>>==========================================[strong internet security]==
>>
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Nov 27 2002 - 05:20:52 CET