[strongSwan] transport mode + NAT with charon

Deepak Logan deepaklogan492 at gmail.com
Thu Dec 13 04:05:54 CET 2012


Is it possible to configure charon in transport mode for NAT deployments?
We are upgrading from ikev1 to ikev2 and do not want to introduce extra
regression by switching to tunnel mode.

The problem with switching to tunnel mode is that it would break our
applications, because they expect decrypted datagrams to have the NATed IP
address and not the original IP address. This is not the case with tunnel
mode any more, because inner IP layer is encrypted and isn't altered by
intermediary firewalls at all.

It looks like this can be workarounded by leftupdown script which would
insert iptables rules that NAT decrypted packets. But are there any easier

Also by looking at git history it seems that "--enable-nat-transport" is
only for IKEv1? Is that right?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121212/40182721/attachment.html>

More information about the Users mailing list