[strongSwan] NAT over VPN

[Mirko Parthey]

On Mon, Nov 25, 2013 at 04:24:45PM +0000, Will Wykeham wrote:
> > Using a packet sniffer on the gateway itself can give misleading results.
> > I'd recommend to either use a box separate from the gateway to monitor
> > the traffic, or read xfrm packet counters on the gateway with "ipsec
> > statusall".
> 
> I'm interested you say that packet sniffing on the device isn't completely
> reliable - it's been ok so far, but definitely worth bearing in mind. Are there
> any particular circumstances under which I should be wary of it?

I just checked again, and it appears that on Linux, outgoing ESP packets
are shown only as encrypted, while incoming ESP packets show up twice,
before and after decryption.  This happens consistently, it's just that
some people may find it confusing.

IP 192.168.0.1 > 192.168.0.2: ESP(spi=0xcbde531a,seq=0x1), length 132
IP 192.168.0.2 > 192.168.0.1: ESP(spi=0xc8a7ed1b,seq=0x1), length 132
IP 10.2.0.10 > 10.1.0.10: ICMP echo reply, id 6929, seq 1, length 64
(recorded on gateway moon from a strongSwan net2net test scenario)

> The xfrm policy (from "ip xfrm state" - an invaluable discovery!), ...

A companion command to "ip xfrm state", which shows the security
associations, is "ip xfrm policy", which shows the policy rules.
A summary view is also available with "ipsec statusall".

If you haven't done so yet, take a look at the strongSwan test scenarios at
http://www.strongswan.org/test-scenarios.html
As it says, they contain "rich configuration examples" and useful commands.

On Mon, Nov 25, 2013 at 06:22:49PM +0000, Will Wykeham wrote:
> The use of the SNAT rule is exactly what I needed, and the initial test seems
> to work.
> 
> Thanks for the help!
> Will

I am glad to hear it is working for you now.
Credits should also go to the strongSwan team, whose excellent
software, documentation and support helped me with my own setup.

Regards,
Mirko