[strongSwan] OS X and NAT roadwarriors

J. Tang tang at jtang.org
Fri Nov 11 02:53:59 CET 2011

I compiled strongSwan from latest git (see patches at https://lists.strongswan.org/pipermail/dev/2011-November/000476.html) for Mac OS X 10.6. I have strongSwan running on a Linux server (also compiled from git).

I am trying to connect from OS X laptop to the Linux server. The laptop is behind a NAT and is effectively a roadwarrior. I have been able to establish an IKE_SA from the laptop to server (via cert), but have run into problems:

1. If I do not assign an IP to the laptop (leftsourceip), then NAT packets (UDP 4500) sent from the laptop have, as source address, the laptop's NAT (private address) and not the address of the NAT router.

2. if I do try to assign an IP, the client fails to establish a CHILD_SA. Is this because virtual IP still does not work for OS X?

For case #1, I am fairly sure the NAT router is configured correctly, because the laptop can connect to other servers and because I can establish an IKE_SA. Do routers typically need special iptables rules to route UDP 4500 packets?

J. Tang  /  tang at jtang.org

More information about the Users mailing list