[Swan] Centos7 Libreswan to cisco ipsec with sourceNAT?

Frank frank at dio.demon.nl
Mon May 9 08:01:02 UTC 2016


I’m trying to setup an ipsec connection from a recent centos7 box to a cisco ASA.

Libreswan Version 3.15 XFRM(netkey) on 3.10.0-327.10.1.el7.x86_64

The remote/right side already has same internal range ( present in their network for other purposes and also NATted  this network for another party/purpose.

What I would like is to sourceNAT my traffic as to be coming from a ‘fake’, virtual ip range or address (say,, the that the right/remote only sees this traffic & can route accordingly.

Is this possible / how to configure this with libreswan?

Can’t use KLIPS for ‘easier debug/tcpdump’, the centos is a stock image, can’t recompile the kernel/find the klips kernel module.
Are specific iptables rules needed for the sourceNAT?
How to go about debugging this ?




For OpenBSD ipsec/pf, this works like this (to another cisco party, I must use centos7/libreswan here): 
ike esp from ( to <their_internal_ip_network> peer <their_internet_gateway_ip> main auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800 quick auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800  psk <presharedkey>
the from ip is virtual, my internal net between brackets
pf config:
match out on enc0 from to <their_internal_ip_network> nat-to
Remote net only sees traffic as if coming from ip

More information about the Swan mailing list