On Fri, 13 May 2016, Frank wrote:
Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
(use this when your net (192.168.1.0/24) is already present and/or NATted in
their network)
thanks for the note. I did a write up for this at:
https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
-A POSTROUTING -s 192.168.1.0/24 -d 10.260.10.0/24 -o eth4 -j SNAT --to-source
10.40.83.13
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
add the NAT ip configured in the internal, incoming firewall interface (eth1)
(our 192.168.1.0/24 network.
10.40.83.13/32
ipse.conf:
...
conn net1
also=tunnel1
leftsubnet=10.40.83.0/24
leftsourceip=10.40.83.13
Note if you use NAT to only give them 10.40.83.13/32, you could have
done a tunnel with leftsubnet=10.40.83.13/32 as well. But perhaps
you did this so you could possibly use more than 1 IP in the future
for NATing?
Also, i don't think your leftsourceip= actually works, unless you
actually configured that IP address on your machine, which I do not
think is needed?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
