[strongSwan] nat-before-esp with virtual ip

Andreas Steffen andreas.steffen at strongswan.org
Thu May 12 08:58:08 CEST 2011 

Hello Mark,

you must SNAT alice to moon's virtual IP. You can do that
automatically using a customized version of the _updown script.

Regards

Andreas

On 05/12/2011 12:13 AM, Mark.Marwil at gdc4s.com wrote:
> All,
> 
>  
> 
> I am trying to determine if a certain configuration is possible. 
> 
>  
> 
> I currently have the example ikev1/nat-before-esp configured.
> (http://www.strongswan.org/uml/testresults/ikev1/nat-before-esp/)
> 
>  Both the Client Alice and the Gateway Moon can successfully ping the
> Client Bob.
> 
>  
> 
> I would like to specify a virtual ip for moon in this configuration.  I
> have been able to assign a virtual ip address by adding the line
> leftsourceip=%modecfg, so that moons configuration looks like the following:
> 
>  
> 
> config setup
> 
>         plutodebug=control
> 
>         crlcheckinterval=180
> 
>         strictcrlpolicy=no
> 
>         charonstart=no
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>  
> 
> conn host-net
> 
>         left=192.168.0.1
> 
>         leftsourceip=%modecfg
> 
>         leftcert=moonCert.pem
> 
>         leftid=@moon.strongswan.org
> 
>         leftfirewall=yes
> 
>         right=192.168.0.2
> 
>         rightsubnet=10.2.0.0/16
> 
>         rightid=@sun.strongswan.org
> 
>         auto=add
> 
>  
> 
> Moon successfully gets the virtual ip address and is still able to ping
> Client Bob.  However Client Alice is no long able to ping Client Bob.
>  Using a network sniffer I am able to see that Moon’s pings are being
> encapsulated, and Alice’s pings are being NATed but not encapsulated. 
> 
>  
> 
> Any suggestions?
> 
>  
> 
> Thank you,
> 
> Mark

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list