<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">This worked for me: This end is in Amazon in a VPC with NAT-T. Other end is a Cisco ASA. IP’s are examples and sanitized, but you’ll get the idea.<div class=""><br class=""></div><div class=""><font face="Courier" class="">ipsec.conf </font></div><div class=""><font face="Courier" class="">conn vpc-customerXXX</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><div class=""><font face="Courier" class=""> left = 172.16.1.1</font></div><div class=""><font face="Courier" class=""> leftsubnet = 172.16.1.0/24</font></div><div class=""><font face="Courier" class=""> leftfirewall = yes</font></div><div class=""><font face="Courier" class=""> leftauth = psk</font></div><div class=""><font face="Courier" class=""> leftid = 100.1.1.1</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class=""> right = 100.2.2.2</font></div><div class=""><font face="Courier" class=""> rightsubnet = 192.168.1.0/24</font></div><div class=""><font face="Courier" class=""> rightauth = psk</font></div><div class=""><font face="Courier" class=""> rightfirewall = yes</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class=""> closeaction = restart</font></div><div class=""><font face="Courier" class=""> auto = route</font></div><div class=""><span style="font-family: Courier;" class=""> fragmentation = yes</span></div><div class=""><font face="Courier" class=""> keyexchange = ikev1</font></div><div class=""><font face="Courier" class=""> reauth = yes</font></div><div class=""><font face="Courier" class=""> forceencaps = yes</font></div><div class=""><font face="Courier" class=""> rekey = yes</font></div><div class=""><font face="Courier" class=""> installpolicy = yes</font></div><div class=""><font face="Courier" class=""> type = tunnel</font></div><div class=""><font face="Courier" class=""> dpdaction = restart</font></div><div class=""><font face="Courier" class=""> dpddelay = 10s</font></div><div class=""><font face="Courier" class=""> dpdtimeout = 60s</font></div><div class=""><font face="Courier" class=""> auto = route</font></div><div class=""><font face="Courier" class=""> ikelifetime = 3600s</font></div><div class=""><font face="Courier" class=""> lifetime = 3600s</font></div><div class=""><font face="Courier" class=""> ike = aes256-sha1-modp1536!</font></div><div class=""><font face="Courier" class=""> esp = aes256-sha1-modp1024!</font></div><div class=""><font face="Courier" class=""> aggressive = no</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">ipsec.secrets</font></div><div class=""><span style="font-family: Courier;" class=""># /etc/ipsec.secrets - strongSwan IPsec secrets file</span></div><div class=""><font face="Courier" class=""><div class=""><br class=""></div><div class="">: RSA myKey.der</div><div class=""><br class=""></div><div class="">172.16.1.1 : PSK “abcd"</div><div class="">100.2.2.2 : PSK “abcd"</div><div class=""><br class=""></div></font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">Left is you, right is them.</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">They connect with your “leftid”. When I connect to another Strongswan instance, I put in the ‘rightid' the same as ‘right’. On the other end, just invert the stanzas is it’s Strongswan and that is behind NAT (i.e. Amazon region to region using Strongswan).</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">Secrets need to reference your left (internal IP) and their right (external IP).</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">May be redundant, or have some overkill, but it works and is rock solid.</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class="">EKG</font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><font face="Courier" class=""><br class=""></font></div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Jul 8, 2015, at 5:28 PM, Colin Burrows <<a href="mailto:colinburrows74@gmail.com" class="">colinburrows74@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><div class="">hi<br class=""></div><div class=""><br class=""></div>i've been looking at <a href="https://www.strongswan.org/testresults.html" class="">https://www.strongswan.org/testresults.html</a> in order to try to find an example of a net2net setup where one device is behind a nat. i intend to use such a setup and was hoping for something i could copy but i did not find any examples.<br class=""><br class=""></div>could you kindly send me a link to such an example if one is available.<br class=""><br class=""></div>thanks<br class=""><br class=""></div>colin<br class=""></div>
_______________________________________________<br class="">Users mailing list<br class=""><a href="mailto:Users@lists.strongswan.org" class="">Users@lists.strongswan.org</a><br class="">https://lists.strongswan.org/mailman/listinfo/users</div></blockquote></div><br class=""></div></body></html>