Re: [strongSwan] net2net with nat example

Wed, 08 Jul 2015 15:39:57 -0700 

This worked for me:  This end is in Amazon in a VPC with NAT-T.  Other end is a 
Cisco ASA.  IP’s are examples and sanitized, but you’ll get the idea.

ipsec.conf
conn vpc-customerXXX

        left            = 172.16.1.1
        leftsubnet      = 172.16.1.0/24
        leftfirewall    = yes
        leftauth        = psk
        leftid          = 100.1.1.1

        right           = 100.2.2.2
        rightsubnet     = 192.168.1.0/24
        rightauth       = psk
        rightfirewall   = yes

        closeaction     = restart
        auto            = route
        fragmentation   = yes
        keyexchange     = ikev1
        reauth          = yes
        forceencaps     = yes
        rekey           = yes
        installpolicy   = yes
        type            = tunnel
        dpdaction       = restart
        dpddelay        = 10s
        dpdtimeout      = 60s
        auto            = route
        ikelifetime     = 3600s
        lifetime        = 3600s
        ike             = aes256-sha1-modp1536!
        esp             = aes256-sha1-modp1024!
        aggressive      = no

ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA myKey.der

172.16.1.1     : PSK “abcd"
100.2.2.2      : PSK “abcd"



Left is you, right is them.

They connect with your “leftid”.  When I connect to another Strongswan 
instance, I put in the ‘rightid' the same as ‘right’.  On the other end, just 
invert the stanzas is it’s Strongswan and that is behind NAT (i.e. Amazon 
region to region using Strongswan).

Secrets need to reference your left (internal IP) and their right (external IP).

May be redundant, or have some overkill, but it works and is rock solid.

EKG



> On Jul 8, 2015, at 5:28 PM, Colin Burrows <[email protected]> wrote:
> 
> hi
> 
> i've been looking at https://www.strongswan.org/testresults.html 
> <https://www.strongswan.org/testresults.html> in order to try to find an 
> example of a net2net setup where one device is behind a nat. i intend to use 
> such a setup and was hoping for something i could copy but i did not find any 
> examples.
> 
> could you kindly send me a link to such an example if one is available.
> 
> thanks
> 
> colin
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to