[strongSwan] strongswan + source nat on freeBSD

[Sebastian Jäschke]

Hello list!

I'm trying to achieve the following:

leftside is:

one machine with wan ip 1.2.3.4
all traffic thru the ipsec tunnel should have 192.168.0.10 as source ip

rightside is:

one gateway with openswan installed with wan ip 4.3.2.1
behind the gate is a localnetwork 10.0.0.1/10

ipsec.conf
        left=%defaultroute
        leftsourceip=192.168.0.10
        leftsubnet=192.168.0.0/24
        right=4.3.2.1
        rightsubnet=10.0.0.1/10
        rightid=@xxxxxxxxx
        mobike=no
        authby=secret
        auto=route


The left interface has a working route and the 192.168.0.10 as alias set on the outside interface.


The tunneling is working, when I set the source IP on each function call like this:

ping -S 192.168.0.10 10.0.0.100

10.0.0.100 is existing behind the rightside gateway.


I can use freeBSDs firewall 'pf' to do a nat on the source address, BUT then it's not recognized by strongswan/ipsec to begin a tunnel as it works when I explicitly set the source address e.g. with ping -S.

pfctl -s all shows it's NATing the source address (when I just use 'ping 10.0.0.100') , but no esp traffic is initiated, so no ipsec tunnel is used and the ping fails.

STATES:
all icmp 192.168.0.10:61867 (1.2.3.4:57327) -> 10.0.0.100:61867       0:0


I would be really, really pleased if someone points me to a solution for this (getting the right source address for all packets trying to access the inner tunnel network of rightside).
At the moment it looks like that in the freeBSD (10.0p8) Kernel the ipsec is checked BEFORE the nat rules are translated, so that the ipsec trap is never getting translated traffic. Is this my problem here with that setup?

Any help is welcome and many thanks in advance!

Jimmy