[strongSwan] How to do NAT before ESP? having trouble

Mark M mark076h at yahoo.com
Sun Jul 22 23:34:43 CEST 2012



Steffen, I the example and script earlier today and thought it was for Pluto. It looks pretty straight forward but I am not sure what the $PLUTO_INTERFACE is or the PH_IP_ALICE part is? How do I find the name of the ipsec interface?
------------------------------
On Sun, Jul 22, 2012 4:43 PM EDT Andreas Steffen wrote:

>Hi Mark,
>
>here is an IKEv2 example where the clients are NAT-ed to the
>virtual IP of the gateway:
>
>http://www.strongswan.org/uml/testresults5/ikev2/nat-virtual-ip/
>
>In order to automatically insert the NAT iptables rules you need
>a special updown scripts I wrote a couple of years ago:
>
>http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;h=aab1df687484362b2c16eaf6bd30d05b3590520a;hb=HEAD
>
>Best regards
>
>Andreas
>
>On 07/22/2012 08:53 AM, Mark M wrote:
>> Hi,
>>
>> I am running a mobile road warrior client with strongSwan connecting to
>> a strongSwan gateway. The mobile client has two interfaces, one for an
>> inside subnet and one for the WAN connection. Behind my mobile client on
>> the LAN side, I have another host that I would like to connect through
>> the mobile client using NAT. Kinda like if i used my laptop as a mobile
>> hotspot for other clients to connect to and all their connections are
>> sent to my strongSwan gateway. I tried to setup NAT using iptables with
>> the inside interface and the outside interface and it does not work. I
>> looked around on old emails and i think what i am looking to do is it
>> NAT before ESP. I need to NAT my LAN client to the virtual IP address or
>> the outside WAN interface before it gets sent down the tunnel to my
>> strongSwan gateway. I was looking at the older emails about the updown
>> scripts but I can't find one for IKEv2 and charon. I also read that
>> there was work being done on a leftnat parameter but work on it was halted.
>>
>> Is there any way I can do this?
>>
>> Thanks
>>
>> Mark-
>
>
>-- 
>======================================================================
>Andreas Steffen                         andreas.steffen at strongswan.org
>strongSwan - the Linux VPN Solution!                www.strongswan.org
>Institute for Internet Technologies and Applications
>University of Applied Sciences Rapperswil
>CH-8640 Rapperswil (Switzerland)
>===========================================================[ITA-HSR]==





More information about the Users mailing list