[strongSwan] nat-before-esp with virtual ip
Mark.Marwil at gdc4s.com
Mark.Marwil at gdc4s.com
Fri Jun 17 17:31:56 CEST 2011
I would like to add one more complication to this configuration. I
would like for moon to have the parameter rightsubnet=0.0.0.0/0.
When I specify this parameter, I see that the _updown script calls the
following:
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
Can you help me understand what these lines are for? After they are
added to the route table 220, moon can still reach bob, but alice can
not. Do I need to mark packets that are from Alice for this
configuration to work?
Thank you,
Mark
-----Original Message-----
From: users-bounces+mark.marwil=gdc4s.com at lists.strongswan.org
[mailto:users-bounces+mark.marwil=gdc4s.com at lists.strongswan.org] On
Behalf Of Mark.Marwil at gdc4s.com
Sent: Thursday, May 12, 2011 9:18 AM
To: andreas.steffen at strongswan.org
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] nat-before-esp with virtual ip
That worked great, thank you!!
Mark
-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Wednesday, May 11, 2011 11:58 PM
To: Marwil, Mark-P63354
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] nat-before-esp with virtual ip
Hello Mark,
you must SNAT alice to moon's virtual IP. You can do that
automatically using a customized version of the _updown script.
Regards
Andreas
On 05/12/2011 12:13 AM, Mark.Marwil at gdc4s.com wrote:
> All,
>
>
>
> I am trying to determine if a certain configuration is possible.
>
>
>
> I currently have the example ikev1/nat-before-esp configured.
> (http://www.strongswan.org/uml/testresults/ikev1/nat-before-esp/)
>
> Both the Client Alice and the Gateway Moon can successfully ping the
> Client Bob.
>
>
>
> I would like to specify a virtual ip for moon in this configuration.
I
> have been able to assign a virtual ip address by adding the line
> leftsourceip=%modecfg, so that moons configuration looks like the
following:
>
>
>
> config setup
>
> plutodebug=control
>
> crlcheckinterval=180
>
> strictcrlpolicy=no
>
> charonstart=no
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
>
>
> conn host-net
>
> left=192.168.0.1
>
> leftsourceip=%modecfg
>
> leftcert=moonCert.pem
>
> leftid=@moon.strongswan.org
>
> leftfirewall=yes
>
> right=192.168.0.2
>
> rightsubnet=10.2.0.0/16
>
> rightid=@sun.strongswan.org
>
> auto=add
>
>
>
> Moon successfully gets the virtual ip address and is still able to
ping
> Client Bob. However Client Alice is no long able to ping Client Bob.
> Using a network sniffer I am able to see that Moon's pings are being
> encapsulated, and Alice's pings are being NATed but not encapsulated.
>
>
>
> Any suggestions?
>
>
>
> Thank you,
>
> Mark
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list