Site to site IPsec VPN behind NAT with Openswan on Ubuntu 14.04

Site A

PUBLIC IP (Not behind NAT)

conn SiteX-to-SiteX
authby=secret
pfs=no
auto=start
keyingtries=%forever
ikelifetime=8h
keylife=1h
ike=3des-md5;modp1024
phase2alg=3des-md5
type=tunnel

left=[PUBLIC IP A]
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.242 # This is required for routing later with static route entry

aggrmode=no

right=[PUBLIC IP B]
rightsubnet=192.168.32.0/24

dpddelay=10
dpdtimeout=3600
dpdaction=restart

Site B

VPN server behind NAT
Ensure that UDP port 500 & 4500 is translated to local VPN server IP

conn SiteX-to-SiteX
authby=secret
pfs=no
auto=start
keyingtries=%forever
ikelifetime=8h
keylife=1h
ike=3des-md5;modp1024
phase2alg=3des-md5
type=tunnel

left=[LOCAL IP] # Due to NAT Server does not have PUBLIC IP
leftid=[PUBLIC IP] # Requires PUBLIC IP of NAT router
leftsubnet=192.168.32.0/24 # Local subnet
leftsourceip=192.168.32.254 # This is required for routing later with static route entry

aggrmode=no

right=[PUBLIC IP B]
rightsubnet=192.168.32.0/24

dpddelay=10
dpdtimeout=3600
dpdaction=restart

 

1 thought on “Site to site IPsec VPN behind NAT with Openswan on Ubuntu 14.04”

  1. Leib Rashna

    I have a VPN set up with very similar configuration to this. It connects successfully. I can only communicate between the two servers, but the other computers at Site A cannot communicate with those at Site A, otherwise. I assume this has something to do with static routes (i.e. “This is required for routing later with static route entry”) or firewall rules or both. Could you possibly advise on how to have the computers at both sites to communicate with one another?

Leave a Comment

Your email address will not be published. Required fields are marked *