[strongSwan] How to do when the WAN's IP of NAT router is changed ?

TAMAMA! 844538316 at qq.com
Wed Dec 12 09:42:23 CET 2012


Hi all,


I've used strongswan for some time, and I found a problem when I use it under the situation that the WAN's IP of NAT router is changed.

As the following illustration, I use a computer as client alice, which is behind a NAT router. A IPSec tunnel is set up between alice and GATEWAY sun. Now the IP of CLIENT alice is IP11,the IP of GATEWAY sun is IP22,and WAN's IP of NAT router is IP21.


`            IP11                              IP12                 IP21                       IP22
CLIENT----------------------------------NAT router--------------------------------GATEWAY
alice                                                                                                               sun





Before the WAN's IP is changed, the IPSec tunnel is available, and CLIENT alice can communicate with GATEWAY sun. When WAN's IP of NAT router IP21 is changed to IP23 for some reasons, the tunnel still exists, but CLIENT alice can not communicate with GATEWAY sun anymore. GATEWAY sun can not receive DPD response from CLIENT alice, and the tunnel is deleted after the DPD timeout.


`             IP11                           IP12                  IP23                       IP22
CLIENT----------------------------------NAT router--------------------------------GATEWAY
alice                                                                                                               sun




It's no doubt that Strongswan does support NAT, but how to configure strongswan to support this situation? I checked  configure HOWTOS and strongswan UML test on www.strongswan.org, but I cannot find any way to figure out this problem. My strongswan's version is 4.5.2 with linux kernel 2.6.36.4, does it work? Or does the problem can be figured out with the latest version of strongswan? 4.6.4 or 5.0.0 ?  


More information about the Users mailing list