[strongSwan] IPSec SA's not coming up when the device is behind a NAT

Deepika Agarwal deepi7.agarwal at gmail.com
Tue May 22 07:34:31 CEST 2012


Hi Tobias,

I am able to install the virtual ip on the interface and also added a
rule in table 220 for that virtual ip.
After doing that, IPSec tunnel is established automatically with
matching TS using auto=route.
Now, I need to know the virtual ip for doing the above two tasks.
Currently, I'm doing that manually but is there any way to know the
virtual ip programmatically on the client side?

Thanks for your help
Deepika

On Fri, Apr 13, 2012 at 1:32 PM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Deepika,
>
>> As you can see , the installed policy is for 192.168.0.100/32 ===
>> 192.168.5.0/24. Am I missing something here?
>
> Two things, you have to install the virtual IP address on one of the
> client's interfaces even before starting strongSwan (otherwise no
> packets will ever match the trap policy), and you also have to configure
> that IP address as leftsubnet on the client (otherwise the trap policy
> and the source route is not properly installed - as seen above, the
> native IP address is used).
> Theoretically, both of these things could be added by Charon
> automatically if leftsourceip is set to a fixed address.  But it would
> cause problems if a different address is later assigned by the gateway.
>
> Regards,
> Tobias



-- 
If you think you can or if you think you can't, you are right.
-Henry Ford




More information about the Users mailing list