[strongSwan] Question involving NAT

David Spracklen david_spracklen at yahoo.com
Wed Sep 22 19:44:05 CEST 2010

Sorry, I should have stated that I am using IKEv2. (charon)  When I tried to set 
the %defaultroute I got a message that it wasn't supported.


From: Andreas Steffen <andreas.steffen at strongswan.org>
To: David Spracklen <david_spracklen at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Wed, September 22, 2010 1:32:47 PM
Subject: Re: [strongSwan] Question involving NAT

Hello Dave,

are you using IKEv1? If yes then IKEv1 does not support
the left=%any statement since automatic route lookup
does not work. Rather use left=%defaultroute.



On 22.09.2010 16:11, David Spracklen wrote:
> I've tried to use the examples to set up a test of my own involving NAT,=
> but I haven't been able to get it to work. I'll list as much of what's
> going on here in hopes you can show me what I'm missing.
> There are two machines communicating, Alice and Bob.
> Alice: a Fedora VM on a Windows PC
> Bob:  a Fedora computer
> Alice uses NAT to access the network through the hosting PC to avoid
> network conflicts. That's the biggest difference between my setup and
> the examples. There aren't two NAT machines making a tunnel; I'm trying
> to make a tunnel between two machines, one of which is using NAT to talk
> to the network.
>                    NAT
> AliceVM<------->PC<------------>Bob
> Thus far I can get Alice and Bob to negotiate a tunnel and their logs
> clearly show everything is working, and yet no data between the two is
> encrypted.  I use Wireshark to watch the packets.  When I examine the
> xfrm information on Bob, it shows that the IP address in the table is
> that of the PC and not the VM.  When running 'ipsec status' it shows
> that the IP address for Alice is that of the VM.
> Alice's ipsec.conf
> conn alice-to-bob
>     left=%any
>     leftcert=alice_cert.der
>     leftid="alice at here"
>     leftsubnet=
>     leftfirewall=yes
>     right=
>     rightallowany=yes
>     rightsubnet=
>     rightid="bob at there"
> Bob's ipsec.conf:
> conn alice-to-bob
>     left=
>     leftcert=bob_cert.der
>     leftid="bob at there"
>     right=%any
>     rightallowany=yes
>     rightsubnet=
>     rightid="alice at here"
>     auto=add
> I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf
> because when I do that, the system's networking locks up for some
> reason.  One thing I wonder about is that the 'system lockup' might be
> because the tunnel is actually functioning, but there are issues with my
> X session (using Xming) from my PC (that's also running the Alice VM) to
> Bob.
> So, again, the real issue with this setup as it is currently is that the
> negotiation happens and strongSwan seems to create a tunnel, but no data
> encryption is actually happening.  That's the main problem.  I included
> the second issue only to demonstrate one other way I tried to solve the
> problem and get data encryption to happen.
> I can't really get the logs off of these machines because their network
> is cut off. If they're needed I can type relevant information from them
> manually, though. I hope that's enough information for you all to be
> able to give me some guidance.
> Thanks much for your help.
> Dave

Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100922/19d118a5/attachment.html>

More information about the Users mailing list