[strongSwan] Question involving NAT
David Spracklen
david_spracklen at yahoo.com
Wed Sep 22 16:11:52 CEST 2010
I've tried to use the examples to set up a test of my own involving NAT, but I
haven't been able to get it to work. I'll list as much of what's going on here
in hopes you can show me what I'm missing.
There are two machines communicating, Alice and Bob.
Alice: a Fedora VM on a Windows PC
Bob: a Fedora computer
Alice uses NAT to access the network through the hosting PC to avoid network
conflicts. That's the biggest difference between my setup and the examples.
There aren't two NAT machines making a tunnel; I'm trying to make a tunnel
between two machines, one of which is using NAT to talk to the network.
NAT
AliceVM<------->PC<------------>Bob
Thus far I can get Alice and Bob to negotiate a tunnel and their logs clearly
show everything is working, and yet no data between the two is encrypted. I use
Wireshark to watch the packets. When I examine the xfrm information on Bob, it
shows that the IP address in the table is that of the PC and not the VM. When
running 'ipsec status' it shows that the IP address for Alice is that of the VM.
Alice's ipsec.conf
conn alice-to-bob
left=%any
leftcert=alice_cert.der
leftid="alice at here"
leftsubnet=192.168.140.0/24
leftfirewall=yes
right=192.168.15.177
rightallowany=yes
rightsubnet=192.168.15.0/24
rightid="bob at there"
Bob's ipsec.conf:
conn alice-to-bob
left=192.168.15.177
leftcert=bob_cert.der
leftid="bob at there"
right=%any
rightallowany=yes
rightsubnet=192.168.140.0/24
rightid="alice at here"
auto=add
I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf because
when I do that, the system's networking locks up for some reason. One thing I
wonder about is that the 'system lockup' might be because the tunnel is actually
functioning, but there are issues with my X session (using Xming) from my PC
(that's also running the Alice VM) to Bob.
So, again, the real issue with this setup as it is currently is that the
negotiation happens and strongSwan seems to create a tunnel, but no data
encryption is actually happening. That's the main problem. I included the
second issue only to demonstrate one other way I tried to solve the problem and
get data encryption to happen.
I can't really get the logs off of these machines because their network is cut
off. If they're needed I can type relevant information from them manually,
though. I hope that's enough information for you all to be able to give me some
guidance.
Thanks much for your help.
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100922/ebfda87a/attachment.html>
More information about the Users
mailing list