[strongSwan] Question involving NAT

[Andreas Steffen]

Hello Dave,

are you using IKEv1? If yes then IKEv1 does not support
the left=%any statement since automatic route lookup
does not work. Rather use left=%defaultroute.

Regards

Andreas

On 22.09.2010 16:11, David Spracklen wrote:
> I've tried to use the examples to set up a test of my own involving NAT,=
> but I haven't been able to get it to work. I'll list as much of what's
> going on here in hopes you can show me what I'm missing.
> 
> There are two machines communicating, Alice and Bob.
> 
> Alice: a Fedora VM on a Windows PC
> Bob:  a Fedora computer
> 
> Alice uses NAT to access the network through the hosting PC to avoid
> network conflicts. That's the biggest difference between my setup and
> the examples. There aren't two NAT machines making a tunnel; I'm trying
> to make a tunnel between two machines, one of which is using NAT to talk
> to the network.
> 
>                    NAT
> AliceVM<------->PC<------------>Bob
> 
> Thus far I can get Alice and Bob to negotiate a tunnel and their logs
> clearly show everything is working, and yet no data between the two is
> encrypted.  I use Wireshark to watch the packets.  When I examine the
> xfrm information on Bob, it shows that the IP address in the table is
> that of the PC and not the VM.  When running 'ipsec status' it shows
> that the IP address for Alice is that of the VM.
> 
> Alice's ipsec.conf
> conn alice-to-bob
>     left=%any
>     leftcert=alice_cert.der
>     leftid="alice at here"
>     leftsubnet=192.168.140.0/24
>     leftfirewall=yes
>     right=192.168.15.177
>     rightallowany=yes
>     rightsubnet=192.168.15.0/24
>     rightid="bob at there"
> 
> Bob's ipsec.conf:
> conn alice-to-bob
>     left=192.168.15.177
>     leftcert=bob_cert.der
>     leftid="bob at there"
>     right=%any
>     rightallowany=yes
>     rightsubnet=192.168.140.0/24
>     rightid="alice at here"
>     auto=add
> 
> I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf
> because when I do that, the system's networking locks up for some
> reason.  One thing I wonder about is that the 'system lockup' might be
> because the tunnel is actually functioning, but there are issues with my
> X session (using Xming) from my PC (that's also running the Alice VM) to
> Bob.
> 
> So, again, the real issue with this setup as it is currently is that the
> negotiation happens and strongSwan seems to create a tunnel, but no data
> encryption is actually happening.  That's the main problem.  I included
> the second issue only to demonstrate one other way I tried to solve the
> problem and get data encryption to happen.
> 
> I can't really get the logs off of these machines because their network
> is cut off. If they're needed I can type relevant information from them
> manually, though. I hope that's enough information for you all to be
> able to give me some guidance.
> 
> Thanks much for your help.
> 
> Dave

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==