[strongSwan] Strongswan and masquerdaing real IPs
Jakob Curdes
jc at info-systems.de
Mon Jun 16 11:22:41 CEST 2014
Hello, we have a setup where we want to hide the real IP addresses of
the tunneled services from the peer side.
We have setup an ikev1 /32 to /32 connection with a linux box and
strongswan 5.x and the ipsec peers can communicate with each other.
I am aware that it is not possible to just tunnel an additional net
through an existing SA;
so we would like to S-NAT packets coming from another internal server to
use the source address of the ipsec router.
This does not seem to work; it looks like the IPSec encapsulation is
done before the SNAT is applied.
I think I remember a discussion on the list on a similar topic but could
not find it in the archives.
Is the a way to get the NATting and encapsulation done in the right order?
Thanks for a tip,
Jakob
More information about the Users
mailing list