-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jakob,
You can get NAT and IPsec encapsulation in the right oder, because *nat POSTROUTING is in front of the XFRM lookup. Look at this: http://inai.de/images/nf-packet-flow.png To make this work, you need to have leftfirewall set to no. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 16.06.2014 11:22, schrieb Jakob Curdes: > Hello, we have a setup where we want to hide the real IP addresses of the > tunneled services from the peer side. > > We have setup an ikev1 /32 to /32 connection with a linux box and strongswan > 5.x and the ipsec peers can communicate with each other. > I am aware that it is not possible to just tunnel an additional net through > an existing SA; > so we would like to S-NAT packets coming from another internal server to use > the source address of the ipsec router. > This does not seem to work; it looks like the IPSec encapsulation is done > before the SNAT is applied. > > I think I remember a discussion on the list on a similar topic but could not > find it in the archives. > Is the a way to get the NATting and encapsulation done in the right order? > > Thanks for a tip, > Jakob > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTnrioAAoJEDg5KY9j7GZYbDkQAI5JdC880Eay4aSFonTDzJ/e aZrD2Ie6IKGw368LHKtR+cimYlz3oO5YWc/gWuYogzGbv1Cwlm+x1hWnIalIFsi1 k6TrVCrW1Y5OXR9ew+fC2ZUHI+KSMLJ2MoemYBW2T3TsKTtDp/kYDSaDJUex/aQD dgnpNs9emvcTQbPO/Q4yt6QaXuUACPIraSi8nsdnpwF4Lp4TiVVDWuNAQd0Fs8qc ASUdL/STICv8j4F6EAn1+T8cKJeLl6g7gbBC7rNsHc/igQ6OW3lBAGb9eY4fxa+Z Nmz/pd++5RnPoPnnMZw4S+Saz4nCFM3uMtWAYRuWu59ySVO3nnKqxYJskP8J+3dR FiDgkq7uHrVTygA9eOgRKDuo/mE4dwtoK1/tEVwDe6C5r34vw+sMy2CDtZZdq2mW RrBjvIXlagWAAjBh++yueRV6iN0nXJb4+Ypwj3vk/l0kFFZDvjfcS0NkAy6tVQFA trw1LPHW//czz5uC+iHc+VdZFErPbLgZToYefSURNIL5aLSbBqnPDPA3ESMZKHFL rNGjWqkY9qXnm/aU/6pxhoQhtyBFGbXnsGTAVPQrmWC7utHYm49iHTfgUW7scZrI HtY8127xzTeiHUQZu1l8xaA3/HhgL7LlWEu268F5BBYO7BAkzlD0IFVjRw9eKQFw 0pAqwUHW3Mi7hIZ2wTEJ =Pr34 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
