<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Andreas,</span></div><div><span>I am not sure what the variables are, can you please explain to me what the </span>PH_IP_ALICE, $PLUTO_PEER_CLIENT, and $PLUTO_MY_SOURCEIP are supposed to be? also when i bring up the connection it gives me the unknown verb 'up-client' error and if i remove that line i get the following,</div><div><br><span></span></div><div><span>Jul 22 20</span><span>:41:14 14[CHD] updown: /etc/nat_updown1: line 21: syntax error near unexpected token `-A'</span></div><div><span><br></span></div><div>Are there any examples anywhere showing a working updown script for what I am trying to do?</div><div><br></div><div>Thanks,</div><div><br></div><div>Mark-<br><span></span></div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family:
times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Mark M <mark076h@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Sunday, July 22, 2012 4:43 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] How to do NAT before ESP? having trouble<br> </font> </div> <br>
Hi Mark,<br><br>here is an IKEv2 example where the clients are NAT-ed to the<br>virtual IP of the gateway:<br><br>http://www.strongswan.org/uml/testresults5/ikev2/nat-virtual-ip/<br><br>In order to automatically insert the NAT iptables rules you need<br>a special updown scripts I wrote a couple of years ago:<br><br>http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;h=aab1df687484362b2c16eaf6bd30d05b3590520a;hb=HEAD<br><br>Best regards<br><br>Andreas<br><br>On 07/22/2012 08:53 AM, Mark M wrote:<br>> Hi,<br>><br>> I am running a mobile road warrior client with strongSwan connecting to<br>> a strongSwan gateway. The mobile client has two interfaces, one for an<br>> inside subnet and one for the WAN connection. Behind my mobile client on<br>> the LAN side, I have another host that I would like to connect through<br>> the mobile client using NAT. Kinda like if i used my laptop
as a mobile<br>> hotspot for other clients to connect to and all their connections are<br>> sent to my strongSwan gateway. I tried to setup NAT using iptables with<br>> the inside interface and the outside interface and it does not work. I<br>> looked around on old emails and i think what i am looking to do is it<br>> NAT before ESP. I need to NAT my LAN client to the virtual IP address or<br>> the outside WAN interface before it gets sent down the tunnel to my<br>> strongSwan gateway. I was looking at the older emails about the updown<br>> scripts but I can't find one for IKEv2 and charon. I also read that<br>> there was work being done on a leftnat parameter but work on it was halted.<br>><br>> Is there any way I can do this?<br>><br>> Thanks<br>><br>> Mark-<br><br><br>-- <br>======================================================================<br>Andreas Steffen
<a ymailto="mailto:andreas.steffen@strongswan.org" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a target="_blank" href="http://www.strongswan.org/">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br><br><br> </div> </div> </div></body></html>