[strongSwan] nat-before-esp with virtual ip

Thu May 12 00:13:21 CEST 2011

All,

I am trying to determine if a certain configuration is possible.  

I currently have the example ikev1/nat-before-esp configured.
(http://www.strongswan.org/uml/testresults/ikev1/nat-before-esp/)

 Both the Client Alice and the Gateway Moon can successfully ping the
Client Bob.

I would like to specify a virtual ip for moon in this configuration.  I
have been able to assign a virtual ip address by adding the line
leftsourceip=%modecfg, so that moons configuration looks like the
following:

config setup

        plutodebug=control

        crlcheckinterval=180

        strictcrlpolicy=no

        charonstart=no

conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev1

conn host-net

        left=192.168.0.1

        leftsourceip=%modecfg

        leftcert=moonCert.pem

        leftid=@moon.strongswan.org

        leftfirewall=yes

        right=192.168.0.2

        rightsubnet=10.2.0.0/16

        rightid=@sun.strongswan.org

        auto=add

Moon successfully gets the virtual ip address and is still able to ping
Client Bob.  However Client Alice is no long able to ping Client Bob.
Using a network sniffer I am able to see that Moon's pings are being
encapsulated, and Alice's pings are being NATed but not encapsulated.  

Any suggestions?

Thank you,

Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110511/6f811450/attachment.html>