On Wed, Jul 1, 2015 at 6:17 PM, Kevin Layer <[email protected]> wrote:
> Michael Rash wrote:
>
> >> Hi Kevin,
> >>
> >> Understood. The same encryption key is used in both stanzas, and you
> >> use the OPEN_PORTS variable as a way to tell which one the SPA packet
> >> applies to. Try the following: comment out the ENABLE_IPT_LOCAL_NAT
> >> variable fwknopd.conf (fwknopd has largely switched to using the
> >> FORCE_*NAT vars in access.conf), and then set your access.conf file
> >> like this:
>
> That all makes sense.
>
> >>
> >> SOURCE ANY
> >> OPEN_PORTS tcp/10001
> >> KEY ...
> >> FORCE_NAT 192.168.0.1 22
> >> FW_ACCESS_TIMEOUT 3600
> >>
> >> SOURCE ANY
> >> OPEN_PORTS tcp/10002
> >> KEY...
> >> FORCE_NAT 192.168.0.5 22
> >> FW_ACCESS_TIMEOUT 3600
> >>
> >> Then, on the client side, you can remove the NAT_ACCESS variables
> >> altogether. You should have access then with:
>
> >>
> >> $ fwknop --nat-local -n A
>
> fwknop: fko_set_nat_access_str: Error 13 - Invalid SPA nat_access message
> format
>
> Does that mean I need a newer client? I have 2.0.4.
>
Ah, can you try adding the "NAT_ACCESS 192.168.0.1,22" line back
into your ~/.fwknoprc file for system A? Then try the same "fwknop
--nat-local -n A" command.
Thanks,
--Mike
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
