[strongSwan] transport with 1:1 NAT + more NAT
Arvid E. Picciani
aep at exys.org
Tue Apr 29 13:10:00 CEST 2014
Hey,
i'm trying to get transport working with the following setup:
[192.168.1.130] ---> [192.168.1.130 : 1.2.3.4] ~~~internet~~~> [2.2.2.2]
--> [1.1.1.1]
the first NAT is any random ISP router home setup,
the second is amazon VPC, which is a 1:1 Nat.
Apparantly the problem is the second, since i need to use its local ip
(192.168.0.200)
for declaring right=, otherwise strongswan won't start at all.
But the left side (192.168.1.130) has no idea about that private ip, it
just sees the public one.
The tunnel establishes fine (probably using NAT-T/mobike/whatever), but
packages won't make it through:
ping: sendmsg: Operation not permitted
my server config:
#2.2.2.2 PUBLIC SERVER IP
#1.1.1.1 PRIVATE SERVER IP
#192.168.1.130 CLIENT IP BEHIND NAT
conn 64-1-ap-o1
auto=route
type=transport
#
left=1.1.1.1
leftid=2.2.2.2
leftsubnet=192.168.1.130/32
leftsourceip=2.2.2.2
#
right=%any
rightsubnetwithin=0.0.0.0/0
forceencaps=yes
#
# crypto
#
esp=aes128-md5
keyexchange=ikev2
ike=aes128-sha1-modp2048!
#
# cert stuff
#
leftcert=endpoint1
leftsendcert=never
rightcert=64-1.ap
rightsendcert=never
my client config:
#2.2.2.2 PUBLIC SERVER IP
#1.1.1.1 PRIVATE SERVER IP
#192.168.1.130 CLIENT IP BEHIND NAT
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=yes
conn uplink
#
# connection
#
auto=route
type=transport
forceencaps=yes
#
# the AP (me)
#
left=192.168.1.130
leftprotoport=%any
#
# the endpoint
#
right=2.2.2.2.2
rightid=2.2.2.2
rightsourceip=%config
rightprotoport=%any
rightsubnetwithin=0.0.0.0/0
#
# crypto
#
esp=aes128-md5
keyexchange=ikev2
ike=aes128-sha1-modp2048!
#
# cert stuff
#
rightcert=endpoint1
rightsendcert=never
leftcert=64-1.ap
leftsendcert=never
#
# timeouts
#
dpddelay=30
dpdtimeout=120
dpdaction=clear
More information about the Users
mailing list