[strongSwan] IPSec SA's not coming up when the device is behind a NAT

Tobias Brunner tobias at strongswan.org
Fri Apr 13 10:02:48 CEST 2012


Hi Deepika,

> As you can see , the installed policy is for 192.168.0.100/32 ===
> 192.168.5.0/24. Am I missing something here?

Two things, you have to install the virtual IP address on one of the
client's interfaces even before starting strongSwan (otherwise no
packets will ever match the trap policy), and you also have to configure
that IP address as leftsubnet on the client (otherwise the trap policy
and the source route is not properly installed - as seen above, the
native IP address is used).
Theoretically, both of these things could be added by Charon
automatically if leftsourceip is set to a fixed address.  But it would
cause problems if a different address is later assigned by the gateway.

Regards,
Tobias




More information about the Users mailing list