Sorry, I should have stated that I am using IKEv2. (charon) When I tried to set the %defaultroute I got a message that it wasn't supported.
Dave ________________________________ From: Andreas Steffen <[email protected]> To: David Spracklen <[email protected]> Cc: [email protected] Sent: Wed, September 22, 2010 1:32:47 PM Subject: Re: [strongSwan] Question involving NAT Hello Dave, are you using IKEv1? If yes then IKEv1 does not support the left=%any statement since automatic route lookup does not work. Rather use left=%defaultroute. Regards Andreas On 22.09.2010 16:11, David Spracklen wrote: > I've tried to use the examples to set up a test of my own involving NAT,= > but I haven't been able to get it to work. I'll list as much of what's > going on here in hopes you can show me what I'm missing. > > There are two machines communicating, Alice and Bob. > > Alice: a Fedora VM on a Windows PC > Bob: a Fedora computer > > Alice uses NAT to access the network through the hosting PC to avoid > network conflicts. That's the biggest difference between my setup and > the examples. There aren't two NAT machines making a tunnel; I'm trying > to make a tunnel between two machines, one of which is using NAT to talk > to the network. > > NAT > AliceVM<------->PC<------------>Bob > > Thus far I can get Alice and Bob to negotiate a tunnel and their logs > clearly show everything is working, and yet no data between the two is > encrypted. I use Wireshark to watch the packets. When I examine the > xfrm information on Bob, it shows that the IP address in the table is > that of the PC and not the VM. When running 'ipsec status' it shows > that the IP address for Alice is that of the VM. > > Alice's ipsec.conf > conn alice-to-bob > left=%any > leftcert=alice_cert.der > leftid="al...@here" > leftsubnet=192.168.140.0/24 > leftfirewall=yes > right=192.168.15.177 > rightallowany=yes > rightsubnet=192.168.15.0/24 > rightid="b...@there" > > Bob's ipsec.conf: > conn alice-to-bob > left=192.168.15.177 > leftcert=bob_cert.der > leftid="b...@there" > right=%any > rightallowany=yes > rightsubnet=192.168.140.0/24 > rightid="al...@here" > auto=add > > I don't have the "leftsubnet" and "leftfirewall" in Bob's ipsec.conf > because when I do that, the system's networking locks up for some > reason. One thing I wonder about is that the 'system lockup' might be > because the tunnel is actually functioning, but there are issues with my > X session (using Xming) from my PC (that's also running the Alice VM) to > Bob. > > So, again, the real issue with this setup as it is currently is that the > negotiation happens and strongSwan seems to create a tunnel, but no data > encryption is actually happening. That's the main problem. I included > the second issue only to demonstrate one other way I tried to solve the > problem and get data encryption to happen. > > I can't really get the logs off of these machines because their network > is cut off. If they're needed I can type relevant information from them > manually, though. I hope that's enough information for you all to be > able to give me some guidance. > > Thanks much for your help. > > Dave ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
