[strongSwan] NAT with IPsec on 2.6 kernel

Andreas Steffen andreas.steffen at strongswan.org
Tue Jul 27 17:06:21 CEST 2010 

Hi Frank,

yes with the Linux 2.6 NETKEY IPsec stack $PLUTO_INTERFACE
points to the physical interface, usually eth0.

Regards

Andreas

On 27.07.2010 16:02, Frank Liu wrote:
> Hi Andreas,
> 
> Thanks for the information!
> I just checked that updown script. I have a question regarding
> $PLUTO_INTERFACE variable. I thought 2.6 doesn't have the "ipsec0"
> interface anymore. What will that variable point to? something like
> eth0 (physical WAN interface)?
> 
> Regards,
> Frank
> 
> On Tue, Jul 27, 2010 at 2:42 AM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hello Frank,
>>
>> starting with the Linux 2.6.16 kernel NAT before ESP is no problem.
>> You can either map your home network to the outer address of the
>> roadwarrior:
>>
>> http://www.strongswan.org/uml/testresults44/ikev1/nat-before-esp/
>>
>> or you can map it to the inner virtual IP address which the
>> roadwarrior gets via Configuration Payload (IKEv2) or ModeConfig
>> (IKEv1) from the remote VPN gateway:
>>
>> http://www.strongswan.org/uml/testresults44/ikev2/nat-virtual-ip/
>>
>> This NAT rule can be automatically inserted using a modified
>> updown script:
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;h=aab1df687484362b2c16eaf6bd30d05b3590520a;hb=HEAD
>>
>> Best regards
>>
>> Andreas
>>
>> On 27.07.2010 09:02, Frank Liu wrote:
>>> Hi all,
>>>
>>> I have a setup like the picture shown here
>>> http://www.logix.cz/michal/devel/ipsec-tools/nat26.xp
>>> Home Linux 2.6.34 firewall runs Strongswan as roadwarrior. It can
>>> reach company network fine. How can I NAT the whole home network so
>>> that computers at home can talk to the company network?
>>>
>>> Thanks!
>>> Frank

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list