[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec behind NAT



Hi all,

I've managed to get IPsec working behind NAT, with the following
configuration.

On the client, /etc/ipsec.conf config looks like:

conn nat-vpn
    authby=rsasig
    #Left security gateway, subnet behind it, next hop toward right.
    left=%defaultroute
    leftsubnet=192.168.107.17/32
    leftnexthop=
    leftid=@muon.humbug.org.au
    leftrsasigkey=0sAQNaMn5LE8NFHUvwsfizhVyEQKTOH32zda3nJM0nJI+O4AsLzntTcOrwmtriLZHO9Z+zG3OIz8wheAoj5dS1SiBNkoW7py44DOUutbTMDwCkOay+0m5+qdP5sp2p/kWWD2j3PveOPgg3IVE/1saMTbQwfSwgPOyNWPvgVSLEWHp6mw==
    right=203.20.51.50
    rightid=@stallman.pisoftware.com
    rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
    rightsubnet=192.168.20.0/24
    rightnexthop=203.20.51.1
    auto=add

On the server, /etc/ipsec.conf looks like:

conn nat-vpn
    authby=rsasig
    #authby=secret
    #Left security gateway, subnet behind it, next hop toward right.
    left=0.0.0.0
    leftsubnet=192.168.107.17/32
    leftnexthop=
    leftid=@muon.humbug.org.au
    leftrsasigkey=0sAQNaMn5LE8NFHUvwsfizhVyEQKTOH32zda3nJM0nJI+O4AsLzntTcOrwmtriLZHO9Z+zG3OIz8wheAoj5dS1SiBNkoW7py44DOUutbTMDwCkOay+0m5+qdP5sp2p/kWWD2j3PveOPgg3IVE/1saMTbQwfSwgPOyNWPvgVSLEWHp6mw==
    right=203.20.51.50
    rightid=@stallman.pisoftware.com
    rightrsasigkey=0sAQNWRB7dgatjoGNa8GK20mgolKrY7q5Lk6mhD3eFcuQMjGsrWvPzytx0L6Aa5sZMjDSi2bJ/QCELhKIp7IwmIyuE6360oedrTlGWwHWn/j7Q8OWHcas0QQMK7eOq96dq+oJfi0xNWvwAa9XDSbZx29roqmE++n7cp0M0P0Cv+U5S/Q==
    rightsubnet=192.168.20.0/24
    rightnexthop=203.20.51.1
    auto=add

The machine in front of the client needs to have full IP masquerading
for the client.  I'm not sure what would happen if you tried to have
two machines start up a vpn behind NAT - in this case, you'd be better
setting up IPSec on the box in front of the clients, and specifying
multiple VPNs there.

Thanks,
Brad
-- 
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|Brad Marshall                    |           Plugged In Software|
|Senior Systems Administrator     |     http://www.pisoftware.com|
|mailto:bmarshal@pisoftware.com   |  GPG Key Id: 47951BD0 / 1024b|
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
 Fingerprint:  BAE3 4794 E627 2EAF 7EC0  4763 7884 4BE8 4795 1BD0