<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Sorry, I should have stated that I am using IKEv2. (charon) When I tried to set the %defaultroute I got a message that it wasn't supported.<br><br>Dave<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br><b><span style="font-weight: bold;">To:</span></b> David Spracklen <david_spracklen@yahoo.com><br><b><span style="font-weight: bold;">Cc:</span></b> users@lists.strongswan.org<br><b><span style="font-weight: bold;">Sent:</span></b> Wed, September 22, 2010 1:32:47 PM<br><b><span style="font-weight:
bold;">Subject:</span></b> Re: [strongSwan] Question involving NAT<br></font><br>
Hello Dave,<br><br>are you using IKEv1? If yes then IKEv1 does not support<br>the left=%any statement since automatic route lookup<br>does not work. Rather use left=%defaultroute.<br><br>Regards<br><br>Andreas<br><br>On 22.09.2010 16:11, David Spracklen wrote:<br>> I've tried to use the examples to set up a test of my own involving NAT,=<br>> but I haven't been able to get it to work. I'll list as much of what's<br>> going on here in hopes you can show me what I'm missing.<br>> <br>> There are two machines communicating, Alice and Bob.<br>> <br>> Alice: a Fedora VM on a Windows PC<br>> Bob: a Fedora computer<br>> <br>> Alice uses NAT to access the network through the hosting PC to avoid<br>> network conflicts. That's the biggest difference between my setup and<br>> the examples. There aren't two NAT machines making a tunnel; I'm trying<br>> to make a tunnel between two machines, one of which is using NAT to
talk<br>> to the network.<br>> <br>> NAT<br>> AliceVM<------->PC<------------>Bob<br>> <br>> Thus far I can get Alice and Bob to negotiate a tunnel and their logs<br>> clearly show everything is working, and yet no data between the two is<br>> encrypted. I use Wireshark to watch the packets. When I examine the<br>> xfrm information on Bob, it shows that the IP address in the table is<br>> that of the PC and not the VM. When running 'ipsec status' it shows<br>> that the IP address for Alice is that of the VM.<br>> <br>> Alice's ipsec.conf<br>> conn alice-to-bob<br>> left=%any<br>> leftcert=alice_cert.der<br>> leftid="alice@here"<br>> leftsubnet=192.168.140.0/24<br>> leftfirewall=yes<br>>
right=192.168.15.177<br>> rightallowany=yes<br>> rightsubnet=192.168.15.0/24<br>> rightid="bob@there"<br>> <br>> Bob's ipsec.conf:<br>> conn alice-to-bob<br>> left=192.168.15.177<br>> leftcert=bob_cert.der<br>> leftid="bob@there"<br>> right=%any<br>> rightallowany=yes<br>> rightsubnet=192.168.140.0/24<br>> rightid="alice@here"<br>> auto=add<br>> <br>> I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf<br>> because when I do that, the system's networking locks up for some<br>> reason. One thing I wonder about is that the 'system lockup' might be<br>> because the tunnel is actually functioning, but there are issues with my<br>> X session (using Xming) from my PC (that's also running the Alice VM) to<br>> Bob.<br>>
<br>> So, again, the real issue with this setup as it is currently is that the<br>> negotiation happens and strongSwan seems to create a tunnel, but no data<br>> encryption is actually happening. That's the main problem. I included<br>> the second issue only to demonstrate one other way I tried to solve the<br>> problem and get data encryption to happen.<br>> <br>> I can't really get the logs off of these machines because their network<br>> is cut off. If they're needed I can type relevant information from them<br>> manually, though. I hope that's enough information for you all to be<br>> able to give me some guidance.<br>> <br>> Thanks much for your help.<br>> <br>> Dave<br><br>======================================================================<br>Andreas Steffen <a ymailto="mailto:andreas.steffen@strongswan.org"
href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a target="_blank" href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></div>
</div><br>
</body></html>