OK, I have network A 192.168.1.0/24 behind a strongswan gateway with a public ip of 100.0.0.1. I have a network B 10.0.0.0/16 behind a strongswan gateway with a public ip of 200.0.0.1. I want to create a net2net IPSEC tunnel between network A and network B. I want to setup the tunnel so that Network B only sees a single IP that does PAT for network A.
How do I do this? On Fri, Feb 26, 2016 at 4:08 PM, Noel Kuntze <[email protected]> wrote: > Hello Sean, > > strongSwan doesn't care about what you do with the traffic. It only > negotiates the IKE_SA and CHILD_SAs. > What you do after they're established doesn't matter for strongSwan. > > On 26.02.2016 22:07, Sean Courtney wrote: >> Hi Noel, >> >> I looked at the man for iptables-extensions. i guess i don't want >> netmap at all...i want snat. Does strongswan support snat? >> >> Thanks, >> Sean >> >> On Fri, Feb 26, 2016 at 3:54 PM, Noel Kuntze <[email protected]> wrote: >>> > Hello Sean, >>> > >>> > Please always send your email to the mailing list, too. >>> > The scenario only shows the *filter table of iptables, but NAT rules are >>> > in the *nat table. >>> > You need to look at the source of the scenario in the repository to see >>> > all the rules. >>> > >>> > It's really not that fancy. The iptables target is described on the man >>> > page for `iptables` or `iptables-extensions`. >>> > >>> > >>> > On 26.02.2016 21:42, Sean Courtney wrote: >>>> >> HI, >>>> >> >>>> >> I did look at the example outlined here before posting. >>>> >> >>>> >> https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/ >>>> >> >>>> >> The example uses NETMAP to translate subnets into new subnets with the >>>> >> same subnet mask. >>>> >> >>>> >> I want to do PAT. Is there an example of NETMAP doing PAT? Can NETMAP >>>> >> do PAT? >>>> >> >>>> >> I must be overlooking something so obvious. >>>> >> >>>> >> Thanks >>>> >> >>>> >> On Fri, Feb 26, 2016 at 3:12 PM, Noel Kuntze <[email protected]> >>>> >> wrote: >>>>>> >>> > Hello Sean, >>>>>> >>> > >>>>>>>> >>>> >> I really want to PAT my IPSEC'd subnets. Is there anyone to >>>>>>>> >>>> >> PAT an >>>>>>>> >>>> >> entire subnet with StrongSwan? >>>>>> >>> > Handling the traffic is done in the kernel. >>>>>> >>> > Use the NETMAP target in iptables and negotiate policies that >>>>>> >>> > secure the traffic between >>>>>> >>> > your desired subnet and the remote side. >>>>>> >>> > >>>>>> >>> > -- >>>>>> >>> > >>>>>> >>> > Mit freundlichen Grüßen/Kind Regards, >>>>>> >>> > Noel Kuntze >>>>>> >>> > >>>>>> >>> > GPG Key ID: 0x63EC6658 >>>>>> >>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>>>> >>> > >>>>>> >>> > >>>> >> >>>> >> -- Sean Courtney Ph - 410 878 7833 >>> > >>> > >>> > -- >>> > >>> > Mit freundlichen Grüßen/Kind Regards, >>> > Noel Kuntze >>> > >>> > GPG Key ID: 0x63EC6658 >>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> > >>> > >> >> -- Sean Courtney Ph - 410 878 7833 > > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > -- Sean Courtney Ph - 410 878 7833 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
