Hi, I’m trying to setup an ipsec connection from a recent centos7 box to a cisco ASA.
Libreswan Version 3.15 XFRM(netkey) on 3.10.0-327.10.1.el7.x86_64 The remote/right side already has same internal range (192.168.1.0/24) present in their network for other purposes and also NATted this network for another party/purpose. What I would like is to sourceNAT my traffic as to be coming from a ‘fake’, virtual ip range or address (say, 10.27.89.0/24), the that the right/remote only sees this 10.27.89.0/24 traffic & can route accordingly. Is this possible / how to configure this with libreswan? Can’t use KLIPS for ‘easier debug/tcpdump’, the centos is a stock image, can’t recompile the kernel/find the klips kernel module. Are specific iptables rules needed for the sourceNAT? How to go about debugging this ? Thanks, Frank. PS. For OpenBSD ipsec/pf, this works like this (to another cisco party, I must use centos7/libreswan here): ike esp from 10.27.89.34 (192.168.1.0/24) to <their_internal_ip_network> peer <their_internet_gateway_ip> main auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800 quick auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800 psk <presharedkey> the from ip is virtual, my internal net between brackets pf config: match out on enc0 from 192.168.1.0/24 to <their_internal_ip_network> nat-to 10.27.89.34 Remote net only sees traffic as if coming from ip 10.27.89.34 _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
