[strongSwan] PAT

Sean Courtney scourtney2000 at gmail.com
Fri Feb 26 22:30:58 CET 2016 

OK,

I have network A 192.168.1.0/24 behind a strongswan gateway with a
public ip of 100.0.0.1. I have a network B 10.0.0.0/16 behind a
strongswan gateway with a public ip of 200.0.0.1. I want to create a
net2net IPSEC tunnel between network A and network B. I want to setup
the tunnel so that Network B only sees a single IP that does PAT for
network A.

How do I do this?

On Fri, Feb 26, 2016 at 4:08 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> Hello Sean,
>
> strongSwan doesn't care about what you do with the traffic. It only negotiates the IKE_SA and CHILD_SAs.
> What you do after they're established doesn't matter for strongSwan.
>
> On 26.02.2016 22:07, Sean Courtney wrote:
>> Hi Noel,
>>
>> I looked at the man for iptables-extensions. i guess i don't want
>> netmap at all...i want snat. Does strongswan support snat?
>>
>> Thanks,
>> Sean
>>
>> On Fri, Feb 26, 2016 at 3:54 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>> > Hello Sean,
>>> >
>>> > Please always send your email to the mailing list, too.
>>> > The scenario only shows the *filter table of iptables, but NAT rules are in the *nat table.
>>> > You need to look at the source of the scenario in the repository to see all the rules.
>>> >
>>> > It's really not that fancy. The iptables target is described on the man page for `iptables` or `iptables-extensions`.
>>> >
>>> >
>>> > On 26.02.2016 21:42, Sean Courtney wrote:
>>>> >> HI,
>>>> >>
>>>> >> I did look at the example outlined here before posting.
>>>> >>
>>>> >> https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/
>>>> >>
>>>> >> The example uses NETMAP to translate subnets into new subnets with the
>>>> >> same subnet mask.
>>>> >>
>>>> >> I want to do PAT. Is there an example of NETMAP doing PAT? Can NETMAP do PAT?
>>>> >>
>>>> >> I must be overlooking something so obvious.
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> On Fri, Feb 26, 2016 at 3:12 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>>>> >>> > Hello Sean,
>>>>>> >>> >
>>>>>>>> >>>> >> I really want to PAT my IPSEC'd subnets. Is there anyone to PAT an
>>>>>>>> >>>> >> entire subnet with StrongSwan?
>>>>>> >>> > Handling the traffic is done in the kernel.
>>>>>> >>> > Use the NETMAP target in iptables and negotiate policies that secure the traffic between
>>>>>> >>> > your desired subnet and the remote side.
>>>>>> >>> >
>>>>>> >>> > --
>>>>>> >>> >
>>>>>> >>> > Mit freundlichen Grüßen/Kind Regards,
>>>>>> >>> > Noel Kuntze
>>>>>> >>> >
>>>>>> >>> > GPG Key ID: 0x63EC6658
>>>>>> >>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>>> >>> >
>>>>>> >>> >
>>>> >>
>>>> >> -- Sean Courtney Ph - 410 878 7833
>>> >
>>> >
>>> > --
>>> >
>>> > Mit freundlichen Grüßen/Kind Regards,
>>> > Noel Kuntze
>>> >
>>> > GPG Key ID: 0x63EC6658
>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> >
>>
>> -- Sean Courtney Ph - 410 878 7833
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>



-- 
Sean Courtney
Ph - 410 878 7833

More information about the Users mailing list