[strongSwan] Strongswan and masquerdaing real IPs

Noel Kuntze noel at familie-kuntze.de
Mon Jun 16 11:28:08 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Jakob,

You can get NAT and IPsec encapsulation in the right oder, because *nat POSTROUTING is in front of the XFRM lookup.
Look at this: http://inai.de/images/nf-packet-flow.png
To make this work, you need to have leftfirewall set to no.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 16.06.2014 11:22, schrieb Jakob Curdes:
> Hello,  we have a setup where we want to hide the real IP addresses of the tunneled services from the peer side.
> 
> We have setup an ikev1  /32 to /32 connection with a linux box and strongswan 5.x and the ipsec peers can communicate with each other.
> I am aware that it is not possible to just tunnel an additional net through an existing SA;
> so we would like to S-NAT packets coming from another internal server to use the source address of the ipsec router.
> This does not seem to work; it looks like the IPSec encapsulation is done before the SNAT is applied.
> 
> I think I remember a discussion on the list on a similar topic but could not find it in the archives.
> Is the a way to get the NATting and encapsulation done in the right order?
> 
> Thanks for a tip,
> Jakob
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTnrioAAoJEDg5KY9j7GZYbDkQAI5JdC880Eay4aSFonTDzJ/e
aZrD2Ie6IKGw368LHKtR+cimYlz3oO5YWc/gWuYogzGbv1Cwlm+x1hWnIalIFsi1
k6TrVCrW1Y5OXR9ew+fC2ZUHI+KSMLJ2MoemYBW2T3TsKTtDp/kYDSaDJUex/aQD
dgnpNs9emvcTQbPO/Q4yt6QaXuUACPIraSi8nsdnpwF4Lp4TiVVDWuNAQd0Fs8qc
ASUdL/STICv8j4F6EAn1+T8cKJeLl6g7gbBC7rNsHc/igQ6OW3lBAGb9eY4fxa+Z
Nmz/pd++5RnPoPnnMZw4S+Saz4nCFM3uMtWAYRuWu59ySVO3nnKqxYJskP8J+3dR
FiDgkq7uHrVTygA9eOgRKDuo/mE4dwtoK1/tEVwDe6C5r34vw+sMy2CDtZZdq2mW
RrBjvIXlagWAAjBh++yueRV6iN0nXJb4+Ypwj3vk/l0kFFZDvjfcS0NkAy6tVQFA
trw1LPHW//czz5uC+iHc+VdZFErPbLgZToYefSURNIL5aLSbBqnPDPA3ESMZKHFL
rNGjWqkY9qXnm/aU/6pxhoQhtyBFGbXnsGTAVPQrmWC7utHYm49iHTfgUW7scZrI
HtY8127xzTeiHUQZu1l8xaA3/HhgL7LlWEu268F5BBYO7BAkzlD0IFVjRw9eKQFw
0pAqwUHW3Mi7hIZ2wTEJ
=Pr34
-----END PGP SIGNATURE-----


More information about the Users mailing list