[strongSwan] Question involving NAT
andreas.steffen at strongswan.org
Wed Sep 22 19:32:47 CEST 2010
are you using IKEv1? If yes then IKEv1 does not support
the left=%any statement since automatic route lookup
does not work. Rather use left=%defaultroute.
On 22.09.2010 16:11, David Spracklen wrote:
> I've tried to use the examples to set up a test of my own involving NAT,=
> but I haven't been able to get it to work. I'll list as much of what's
> going on here in hopes you can show me what I'm missing.
> There are two machines communicating, Alice and Bob.
> Alice: a Fedora VM on a Windows PC
> Bob: a Fedora computer
> Alice uses NAT to access the network through the hosting PC to avoid
> network conflicts. That's the biggest difference between my setup and
> the examples. There aren't two NAT machines making a tunnel; I'm trying
> to make a tunnel between two machines, one of which is using NAT to talk
> to the network.
> Thus far I can get Alice and Bob to negotiate a tunnel and their logs
> clearly show everything is working, and yet no data between the two is
> encrypted. I use Wireshark to watch the packets. When I examine the
> xfrm information on Bob, it shows that the IP address in the table is
> that of the PC and not the VM. When running 'ipsec status' it shows
> that the IP address for Alice is that of the VM.
> Alice's ipsec.conf
> conn alice-to-bob
> leftid="alice at here"
> rightid="bob at there"
> Bob's ipsec.conf:
> conn alice-to-bob
> leftid="bob at there"
> rightid="alice at here"
> I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf
> because when I do that, the system's networking locks up for some
> reason. One thing I wonder about is that the 'system lockup' might be
> because the tunnel is actually functioning, but there are issues with my
> X session (using Xming) from my PC (that's also running the Alice VM) to
> So, again, the real issue with this setup as it is currently is that the
> negotiation happens and strongSwan seems to create a tunnel, but no data
> encryption is actually happening. That's the main problem. I included
> the second issue only to demonstrate one other way I tried to solve the
> problem and get data encryption to happen.
> I can't really get the logs off of these machines because their network
> is cut off. If they're needed I can type relevant information from them
> manually, though. I hope that's enough information for you all to be
> able to give me some guidance.
> Thanks much for your help.
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users