[strongSwan] nat-before-esp with virtual ip

Mark.Marwil at gdc4s.com Mark.Marwil at gdc4s.com
Fri Jun 17 17:31:56 CEST 2011


I would like to add one more complication to this configuration.   I
would like for moon to have the parameter rightsubnet=0.0.0.0/0.

When I specify this parameter, I see that the _updown script calls the
following:
		# opportunistic encryption work around
		# need to provide route that eclipses default, without
		# replacing it.
		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
		ip route $1 128.0.0.0/1 $parms2 $parms3"

Can you help me understand what these lines are for?  After they are
added to the route table 220, moon can still reach bob, but alice can
not.  Do I need to mark packets that are from Alice for this
configuration to work?

Thank you,
Mark


-----Original Message-----
From: users-bounces+mark.marwil=gdc4s.com at lists.strongswan.org
[mailto:users-bounces+mark.marwil=gdc4s.com at lists.strongswan.org] On
Behalf Of Mark.Marwil at gdc4s.com
Sent: Thursday, May 12, 2011 9:18 AM
To: andreas.steffen at strongswan.org
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] nat-before-esp with virtual ip

That worked great, thank you!!

Mark 



-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, May 11, 2011 11:58 PM
To: Marwil, Mark-P63354
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] nat-before-esp with virtual ip

Hello Mark,

you must SNAT alice to moon's virtual IP. You can do that
automatically using a customized version of the _updown script.

Regards

Andreas

On 05/12/2011 12:13 AM, Mark.Marwil at gdc4s.com wrote:
> All,
> 
>  
> 
> I am trying to determine if a certain configuration is possible. 
> 
>  
> 
> I currently have the example ikev1/nat-before-esp configured.
> (http://www.strongswan.org/uml/testresults/ikev1/nat-before-esp/)
> 
>  Both the Client Alice and the Gateway Moon can successfully ping the
> Client Bob.
> 
>  
> 
> I would like to specify a virtual ip for moon in this configuration.
I
> have been able to assign a virtual ip address by adding the line
> leftsourceip=%modecfg, so that moons configuration looks like the
following:
> 
>  
> 
> config setup
> 
>         plutodebug=control
> 
>         crlcheckinterval=180
> 
>         strictcrlpolicy=no
> 
>         charonstart=no
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>  
> 
> conn host-net
> 
>         left=192.168.0.1
> 
>         leftsourceip=%modecfg
> 
>         leftcert=moonCert.pem
> 
>         leftid=@moon.strongswan.org
> 
>         leftfirewall=yes
> 
>         right=192.168.0.2
> 
>         rightsubnet=10.2.0.0/16
> 
>         rightid=@sun.strongswan.org
> 
>         auto=add
> 
>  
> 
> Moon successfully gets the virtual ip address and is still able to
ping
> Client Bob.  However Client Alice is no long able to ping Client Bob.
>  Using a network sniffer I am able to see that Moon's pings are being
> encapsulated, and Alice's pings are being NATed but not encapsulated. 
> 
>  
> 
> Any suggestions?
> 
>  
> 
> Thank you,
> 
> Mark

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list