[strongSwan] NAT with IPsec on 2.6 kernel

Frank Liu gfrankliu at gmail.com
Tue Jul 27 16:02:29 CEST 2010


Hi Andreas,

Thanks for the information!
I just checked that updown script. I have a question regarding
$PLUTO_INTERFACE variable. I thought 2.6 doesn't have the "ipsec0"
interface anymore. What will that variable point to? something like
eth0 (physical WAN interface)?

Regards,
Frank

On Tue, Jul 27, 2010 at 2:42 AM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Frank,
>
> starting with the Linux 2.6.16 kernel NAT before ESP is no problem.
> You can either map your home network to the outer address of the
> roadwarrior:
>
> http://www.strongswan.org/uml/testresults44/ikev1/nat-before-esp/
>
> or you can map it to the inner virtual IP address which the
> roadwarrior gets via Configuration Payload (IKEv2) or ModeConfig
> (IKEv1) from the remote VPN gateway:
>
> http://www.strongswan.org/uml/testresults44/ikev2/nat-virtual-ip/
>
> This NAT rule can be automatically inserted using a modified
> updown script:
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;h=aab1df687484362b2c16eaf6bd30d05b3590520a;hb=HEAD
>
> Best regards
>
> Andreas
>
> On 27.07.2010 09:02, Frank Liu wrote:
>> Hi all,
>>
>> I have a setup like the picture shown here
>> http://www.logix.cz/michal/devel/ipsec-tools/nat26.xp
>> Home Linux 2.6.34 firewall runs Strongswan as roadwarrior. It can
>> reach company network fine. How can I NAT the whole home network so
>> that computers at home can talk to the company network?
>>
>> Thanks!
>> Frank
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>




More information about the Users mailing list