[strongSwan] Single ipsec.conf template that can handle NAT and non-NAT configuration at the same time
ansisatteka at gmail.com
Sat Dec 8 03:28:25 CET 2012
Lets say that I want to use the same ipsec.conf template on both
peers. One of the peers could be behind a NAT (in that case I do not
know in advance to which IP address it will be NATed). Also, sometimes
both peers might be connected directly without any NATs. The same
template should support both deployments.
Now I came up with this ipsec.conf template that looks something like:
Is it possible to merge all these "conn" entries into a single "conn"
entry so that it would still support NAT and non-NAT deployment?
Otherwise, on the responder, if remote-<peer>-nat-responder was
negotiated, then the remote-<peer>-direct and
remote-<peer>-nat-initiator would still pointlessly be stuck in
I tried to experiment with rightallowany=yes, but that made strongswan
stuck in IKE negotiation, because, I guess, it uses NATed IP address
to find proposal, but it couldn't find any.
More information about the Users