[Swan] Centos7 Libreswan to cisco ipsec with sourceNAT?

Nick Howitt nick at howitts.co.uk
Mon May 9 08:26:25 UTC 2016

You should be able to use an iptables rule something like:

iptables -I POSTROUTING -t nat {traffic_identifier} -j SNAT --to-source

I'm not sure if --to-source should be

The problem is the {traffic_identifier}. The easy solution would be to 
use "-d remote_LAN_subnet", but if this also exists on your LAN you have 
a problem. You may be able to use "-m policy --pol-ipsec --dir out", but 
the overlapping subnets may be the killer anyway and stop any traffic 


On 2016-05-09 09:01, Frank wrote:
> Hi,
> I’m trying to setup an ipsec connection from a recent centos7 box to a
> cisco ASA.
> Libreswan Version 3.15 XFRM(netkey) on 3.10.0-327.10.1.el7.x86_64
> The remote/right side already has same internal range (
> present in their network for other purposes and also NATted  this
> network for another party/purpose.
> What I would like is to sourceNAT my traffic as to be coming from a
> ‘fake’, virtual ip range or address (say,, the that the
> right/remote only sees this traffic & can route
> accordingly.
> Is this possible / how to configure this with libreswan?
> Can’t use KLIPS for ‘easier debug/tcpdump’, the centos is a stock
> image, can’t recompile the kernel/find the klips kernel module.
> Are specific iptables rules needed for the sourceNAT?
> How to go about debugging this ?
> Thanks,
> Frank.
> PS.
> For OpenBSD ipsec/pf, this works like this (to another cisco party, I
> must use centos7/libreswan here):
> ike esp from ( to
> <their_internal_ip_network> peer <their_internet_gateway_ip> main auth
> hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800 quick auth
> hmac-sha2-256 enc aes-256 group modp1024 lifetime 28800  psk
> <presharedkey>
> the from ip is virtual, my internal net between brackets
> pf config:
> match out on enc0 from to <their_internal_ip_network>
> nat-to
> Remote net only sees traffic as if coming from ip
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list