<html><body>
<p><font size="2" face="sans-serif"><br>
</font><font size="2" face="sans-serif">Hello all: </font><br>
<font size="2" face="sans-serif">I've been struggling with this setup for quite some time now, and I'm hoping it is quite simple. </font><br>
<font size="2" face="sans-serif">I have access to the Strongswan side of the VPN, the other side is a cisco ASA 5520 (or something bigger). </font><br>
<br>
<font size="2" face="sans-serif">Unfortunately, my access to the Strongswan side is via VNC to a unix console in what I feel is one of the worst virtual infrastructure providers I've seen.. </font><br>
<br>
<font size="2" face="sans-serif">So here are the details, and I'm hoping that even being vague without everybit of data, someone will have come across this in the past. </font><br>
<br>
<font size="2" face="sans-serif">Strongswan U5.0.4</font><br>
<br>
<font size="2" face="sans-serif">config setup</font><br>
<font size="2" face="sans-serif"> nat_traversal=yes</font><br>
<font size="2" face="sans-serif"> uniqueids=no</font><br>
<font size="2" face="sans-serif"> strictcrlpolicy=no</font><br>
<font size="2" face="sans-serif"> charonstart=yes</font><br>
<font size="2" face="sans-serif"> plutodebug=all</font><br>
<br>
<font size="2" face="sans-serif">conn %default</font><br>
<font size="2" face="sans-serif"> keyingtries=%forever</font><br>
<br>
<font size="2" face="sans-serif">conn Tunnel_1</font><br>
<font size="2" face="sans-serif"> authby=psk</font><br>
<font size="2" face="sans-serif"> auto=add</font><br>
<font size="2" face="sans-serif"> type=tunnel</font><br>
<font size="2" face="sans-serif"> left=10.7.0.10 </font><br>
<font size="2" face="sans-serif"> leftsubnet=10.7.0.0/24</font><br>
<font size="2" face="sans-serif"> leftnexthop=10.7.0.13</font><br>
<font size="2" face="sans-serif"> leftfirewall=yes</font><br>
<font size="2" face="sans-serif"> right=IPADDRESSA</font><br>
<font size="2" face="sans-serif"> rightsubnet=0.0.0.0/0</font><br>
<font size="2" face="sans-serif"> ike=3des-md5</font><br>
<font size="2" face="sans-serif"> esp=3des-md5</font><br>
<font size="2" face="sans-serif"> forceencaps=yes </font><br>
<font size="2" face="sans-serif"> ikelifetime=86400</font><br>
<font size="2" face="sans-serif"> keylife=86400</font><br>
<font size="2" face="sans-serif"> keyexchange=ikev1</font><br>
<br>
<font size="2" face="sans-serif">There are 4 subnets that I want to bring over the VPN</font><br>
<font size="2" face="sans-serif">192.168.0.0/16</font><br>
<font size="2" face="sans-serif">10.48.0.0/16</font><br>
<font size="2" face="sans-serif">X</font><br>
<font size="2" face="sans-serif">Y</font><br>
<font size="2" face="sans-serif">etc....</font><br>
<br>
<font size="2" face="sans-serif">I only have one interface on the VPN host (eth0) the service provider doesn't allow any others</font><br>
<font size="2" face="sans-serif">I am able to get traffic from the right side, to the destination host, but only when I use a NAT rule in IPTABLES</font><br>
<font size="2" face="sans-serif">iptables -tnat -APOSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE</font><br>
<br>
<font size="2" face="sans-serif">When I take the NAT statments out.. (and this VPN host isn't doing anything else, so When I flush the NAT table.) It stops working. </font><br>
<font size="2" face="sans-serif">I run tcpdumps on this host, and I see the VPN traffic, Let's say a PING from 192.168.202.100 -> 10.7.0.28. But running wireshark on 10.7.0.28 doesn't see anything until I add the NAT rule back in. </font><br>
<br>
<font size="2" face="sans-serif">The ultimate goal is to create a Tunnel that will allow and establish based on bi-directional traffic.. </font><br>
<br>
<font size="2" face="sans-serif">Also, since this host is not the defaultgateway on the 10.7.0.x segment I was planning on using network routes for the 4 subnets, via this host, 10.7.0.10 to ensure symmetric routing. </font><br>
<br>
<font size="2" face="sans-serif">Any help would be greatly appreciated..I've been at this for quite some time now.. </font><br>
<br>
<font size="2" face="sans-serif">Also ip_forwarding is enabled. </font><br>
<br>
<font size="2" face="sans-serif">cat /proc/sys/net/ipv4/ip_forward</font><br>
<font size="2" face="sans-serif">1</font><br>
<br>
<br>
<font size="2" face="sans-serif">-Jeremy </font><br>
<br>
<br>
<br>
<br>
</body></html>