Re: [Swan] Centos7 Libreswan to cisco ipsec with sourceNAT?

Mon, 09 May 2016 01:28:18 -0700 

You should be able to use an iptables rule something like:
iptables -I POSTROUTING -t nat {traffic_identifier} -j SNAT --to-source 10.27.89.0/24 

I'm not sure if --to-source should be 10.27.89.0-10.27.89.255.
The problem is the {traffic_identifier}. The easy solution would be to use "-d remote_LAN_subnet", but if this also exists on your LAN you have a problem. You may be able to use "-m policy --pol-ipsec --dir out", but the overlapping subnets may be the killer anyway and stop any traffic passing. 

Nick

On 2016-05-09 09:01, Frank wrote:

Hi,

I’m trying to setup an ipsec connection from a recent centos7 box to a
cisco ASA.

Libreswan Version 3.15 XFRM(netkey) on 3.10.0-327.10.1.el7.x86_64

The remote/right side already has same internal range (192.168.1.0/24)
present in their network for other purposes and also NATted  this
network for another party/purpose.

What I would like is to sourceNAT my traffic as to be coming from a
‘fake’, virtual ip range or address (say, 10.27.89.0/24), the that the
right/remote only sees this 10.27.89.0/24 traffic & can route
accordingly.

Is this possible / how to configure this with libreswan?


Can’t use KLIPS for ‘easier debug/tcpdump’, the centos is a stock
image, can’t recompile the kernel/find the klips kernel module.
Are specific iptables rules needed for the sourceNAT?
How to go about debugging this ?


Thanks,

Frank.


PS.

For OpenBSD ipsec/pf, this works like this (to another cisco party, I
must use centos7/libreswan here):
ike esp from 10.27.89.34 (192.168.1.0/24) to
<their_internal_ip_network> peer <their_internet_gateway_ip> main auth
hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800 quick auth
hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800  psk
<presharedkey>
the from ip is virtual, my internal net between brackets
pf config:
match out on enc0 from 192.168.1.0/24 to <their_internal_ip_network>
nat-to 10.27.89.34
Remote net only sees traffic as if coming from ip 10.27.89.34
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to