[strongSwan] Strongswan and masquerdaing real IPs

Jakob Curdes jc at info-systems.de
Mon Jun 16 11:22:41 CEST 2014

Hello,  we have a setup where we want to hide the real IP addresses of 
the tunneled services from the peer side.

We have setup an ikev1  /32 to /32 connection with a linux box and 
strongswan 5.x and the ipsec peers can communicate with each other.
I am aware that it is not possible to just tunnel an additional net 
through an existing SA;
so we would like to S-NAT packets coming from another internal server to 
use the source address of the ipsec router.
This does not seem to work; it looks like the IPSec encapsulation is 
done before the SNAT is applied.

I think I remember a discussion on the list on a similar topic but could 
not find it in the archives.
Is the a way to get the NATting and encapsulation done in the right order?

Thanks for a tip,

More information about the Users mailing list