Re: [strongSwan] nat-before-esp with virtual ip

Thu, 12 May 2011 09:17:45 -0700 

That worked great, thank you!!

Mark 



-----Original Message-----
From: Andreas Steffen [mailto:[email protected]] 
Sent: Wednesday, May 11, 2011 11:58 PM
To: Marwil, Mark-P63354
Cc: [email protected]
Subject: Re: [strongSwan] nat-before-esp with virtual ip

Hello Mark,

you must SNAT alice to moon's virtual IP. You can do that
automatically using a customized version of the _updown script.

Regards

Andreas

On 05/12/2011 12:13 AM, [email protected] wrote:
> All,
> 
>  
> 
> I am trying to determine if a certain configuration is possible. 
> 
>  
> 
> I currently have the example ikev1/nat-before-esp configured.
> (http://www.strongswan.org/uml/testresults/ikev1/nat-before-esp/)
> 
>  Both the Client Alice and the Gateway Moon can successfully ping the
> Client Bob.
> 
>  
> 
> I would like to specify a virtual ip for moon in this configuration.
I
> have been able to assign a virtual ip address by adding the line
> leftsourceip=%modecfg, so that moons configuration looks like the
following:
> 
>  
> 
> config setup
> 
>         plutodebug=control
> 
>         crlcheckinterval=180
> 
>         strictcrlpolicy=no
> 
>         charonstart=no
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>  
> 
> conn host-net
> 
>         left=192.168.0.1
> 
>         leftsourceip=%modecfg
> 
>         leftcert=moonCert.pem
> 
>         [email protected]
> 
>         leftfirewall=yes
> 
>         right=192.168.0.2
> 
>         rightsubnet=10.2.0.0/16
> 
>         [email protected]
> 
>         auto=add
> 
>  
> 
> Moon successfully gets the virtual ip address and is still able to
ping
> Client Bob.  However Client Alice is no long able to ping Client Bob.
>  Using a network sniffer I am able to see that Moon's pings are being
> encapsulated, and Alice's pings are being NATed but not encapsulated. 
> 
>  
> 
> Any suggestions?
> 
>  
> 
> Thank you,
> 
> Mark

======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to