[strongSwan] Question involving NAT
David Spracklen
david_spracklen at yahoo.com
Wed Sep 22 19:44:05 CEST 2010
Sorry, I should have stated that I am using IKEv2. (charon) When I tried to set
the %defaultroute I got a message that it wasn't supported.
Dave
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: David Spracklen <david_spracklen at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Wed, September 22, 2010 1:32:47 PM
Subject: Re: [strongSwan] Question involving NAT
Hello Dave,
are you using IKEv1? If yes then IKEv1 does not support
the left=%any statement since automatic route lookup
does not work. Rather use left=%defaultroute.
Regards
Andreas
On 22.09.2010 16:11, David Spracklen wrote:
> I've tried to use the examples to set up a test of my own involving NAT,=
> but I haven't been able to get it to work. I'll list as much of what's
> going on here in hopes you can show me what I'm missing.
>
> There are two machines communicating, Alice and Bob.
>
> Alice: a Fedora VM on a Windows PC
> Bob: a Fedora computer
>
> Alice uses NAT to access the network through the hosting PC to avoid
> network conflicts. That's the biggest difference between my setup and
> the examples. There aren't two NAT machines making a tunnel; I'm trying
> to make a tunnel between two machines, one of which is using NAT to talk
> to the network.
>
> NAT
> AliceVM<------->PC<------------>Bob
>
> Thus far I can get Alice and Bob to negotiate a tunnel and their logs
> clearly show everything is working, and yet no data between the two is
> encrypted. I use Wireshark to watch the packets. When I examine the
> xfrm information on Bob, it shows that the IP address in the table is
> that of the PC and not the VM. When running 'ipsec status' it shows
> that the IP address for Alice is that of the VM.
>
> Alice's ipsec.conf
> conn alice-to-bob
> left=%any
> leftcert=alice_cert.der
> leftid="alice at here"
> leftsubnet=192.168.140.0/24
> leftfirewall=yes
> right=192.168.15.177
> rightallowany=yes
> rightsubnet=192.168.15.0/24
> rightid="bob at there"
>
> Bob's ipsec.conf:
> conn alice-to-bob
> left=192.168.15.177
> leftcert=bob_cert.der
> leftid="bob at there"
> right=%any
> rightallowany=yes
> rightsubnet=192.168.140.0/24
> rightid="alice at here"
> auto=add
>
> I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf
> because when I do that, the system's networking locks up for some
> reason. One thing I wonder about is that the 'system lockup' might be
> because the tunnel is actually functioning, but there are issues with my
> X session (using Xming) from my PC (that's also running the Alice VM) to
> Bob.
>
> So, again, the real issue with this setup as it is currently is that the
> negotiation happens and strongSwan seems to create a tunnel, but no data
> encryption is actually happening. That's the main problem. I included
> the second issue only to demonstrate one other way I tried to solve the
> problem and get data encryption to happen.
>
> I can't really get the logs off of these machines because their network
> is cut off. If they're needed I can type relevant information from them
> manually, though. I hope that's enough information for you all to be
> able to give me some guidance.
>
> Thanks much for your help.
>
> Dave
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100922/19d118a5/attachment.html>
More information about the Users
mailing list