[strongSwan] strongswan + source nat on freeBSD
Sebastian Jäschke
jtkoerting at mac.com
Wed Sep 17 23:05:03 CEST 2014
Hello list!
I'm trying to achieve the following:
leftside is:
one machine with wan ip 1.2.3.4
all traffic thru the ipsec tunnel should have 192.168.0.10 as source ip
rightside is:
one gateway with openswan installed with wan ip 4.3.2.1
behind the gate is a localnetwork 10.0.0.1/10
ipsec.conf
left=%defaultroute
leftsourceip=192.168.0.10
leftsubnet=192.168.0.0/24
right=4.3.2.1
rightsubnet=10.0.0.1/10
rightid=@xxxxxxxxx
mobike=no
authby=secret
auto=route
The left interface has a working route and the 192.168.0.10 as alias set on the outside interface.
The tunneling is working, when I set the source IP on each function call like this:
ping -S 192.168.0.10 10.0.0.100
10.0.0.100 is existing behind the rightside gateway.
I can use freeBSDs firewall 'pf' to do a nat on the source address, BUT then it's not recognized by strongswan/ipsec to begin a tunnel as it works when I explicitly set the source address e.g. with ping -S.
pfctl -s all shows it's NATing the source address (when I just use 'ping 10.0.0.100') , but no esp traffic is initiated, so no ipsec tunnel is used and the ping fails.
STATES:
all icmp 192.168.0.10:61867 (1.2.3.4:57327) -> 10.0.0.100:61867 0:0
I would be really, really pleased if someone points me to a solution for this (getting the right source address for all packets trying to access the inner tunnel network of rightside).
At the moment it looks like that in the freeBSD (10.0p8) Kernel the ipsec is checked BEFORE the nat rules are translated, so that the ipsec trap is never getting translated traffic. Is this my problem here with that setup?
Any help is welcome and many thanks in advance!
Jimmy
More information about the Users
mailing list