[strongSwan] Strongswan - 5.0.4 NAT Questions

Paton, Andy andy.paton at hp.com
Mon Aug 12 12:55:09 CEST 2013


All,

I have a road warrior configuration, where the road warrior is behind NAT, connecting from a Virtual Machine, through to the gateway 10.1.0.2.

In the logs the source IP of traffic to the gateway is the default gateway on the public network that hosts the SS GW. 10.1.0.1.

However - I have been firewalling (FORWARD chain) based on Virtual IP pools - e.g. To only allow Virtual IP Pool 10.4.100.X -> eth2, 10.5.100.X -> eth3. This works fine when using a client that's not behind NAT.

The NAT'ing here is obviously breaking the firewall rules...

What do I need to do on my gateway to be able to get back to being able to firewall based on Client Virtual IP?

I have looked into [1] the nat_up_down script, but don't really understand the mechanics of this and if it is what I need? For example what is PH_IP_ALICE?

Regards,

[1] http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;h=aab1df687484362b2c16eaf6bd30d05b3590520a;hb=HEAD -



Andy Paton - Bsc. (Hons), MBCS
Innovation Engineer

andy.paton at hp.com<mailto:andy.paton at hp.com>

[HP]<http://www.hp.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130812/b278c90b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3690 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130812/b278c90b/attachment.png>


More information about the Users mailing list