[strongSwan] Question involving NAT

David Spracklen david_spracklen at yahoo.com
Wed Sep 22 16:11:52 CEST 2010 

I've tried to use the examples to set up a test of my own involving NAT, but I 
haven't been able to get it to work. I'll list as much of what's going on here 
in hopes you can show me what I'm missing.

There are two machines communicating, Alice and Bob.

Alice: a Fedora VM on a Windows PC
Bob:  a Fedora computer

Alice uses NAT to access the network through the hosting PC to avoid network 
conflicts. That's the biggest difference between my setup and the examples. 
There aren't two NAT machines making a tunnel; I'm trying to make a tunnel 
between two machines, one of which is using NAT to talk to the network.

                   NAT
AliceVM<------->PC<------------>Bob

Thus far I can get Alice and Bob to negotiate a tunnel and their logs clearly 
show everything is working, and yet no data between the two is encrypted.  I use 
Wireshark to watch the packets.  When I examine the xfrm information on Bob, it 
shows that the IP address in the table is that of the PC and not the VM.  When 
running 'ipsec status' it shows that the IP address for Alice is that of the VM.

Alice's ipsec.conf
conn alice-to-bob
    left=%any
    leftcert=alice_cert.der
    leftid="alice at here"
    leftsubnet=192.168.140.0/24
    leftfirewall=yes
    right=192.168.15.177
    rightallowany=yes
    rightsubnet=192.168.15.0/24
    rightid="bob at there"

Bob's ipsec.conf:
conn alice-to-bob
    left=192.168.15.177
    leftcert=bob_cert.der
    leftid="bob at there"
    right=%any
    rightallowany=yes
    rightsubnet=192.168.140.0/24
    rightid="alice at here"
    auto=add

I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf because 
when I do that, the system's networking locks up for some reason.  One thing I 
wonder about is that the 'system lockup' might be because the tunnel is actually 
functioning, but there are issues with my X session (using Xming) from my PC 
(that's also running the Alice VM) to Bob.

So, again, the real issue with this setup as it is currently is that the 
negotiation happens and strongSwan seems to create a tunnel, but no data 
encryption is actually happening.  That's the main problem.  I included the 
second issue only to demonstrate one other way I tried to solve the problem and 
get data encryption to happen.

I can't really get the logs off of these machines because their network is cut 
off. If they're needed I can type relevant information from them manually, 
though. I hope that's enough information for you all to be able to give me some 
guidance.

Thanks much for your help.

Dave



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100922/ebfda87a/attachment.html>

More information about the Users mailing list