[Swan] ipsec SA's up, no traffic routed? SOLVED

Paul Wouters paul at nohats.ca
Mon May 16 13:53:22 UTC 2016


On Fri, 13 May 2016, Frank wrote:

> Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
> (use this when your net (192.168.1.0/24) is already present and/or NATted in their network)

thanks for the note. I did a write up for this at:

  https://libreswan.org/wiki/Subnet_to_subnet_using_NAT

> -A POSTROUTING -s 192.168.1.0/24 -d 10.260.10.0/24 -o eth4 -j SNAT --to-source 10.40.83.13
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>
> add the NAT ip  configured in the internal, incoming firewall interface (eth1) (our 192.168.1.0/24 network.
> 10.40.83.13/32
>
> ipse.conf:
> ...
> conn net1
>     also=tunnel1
>     leftsubnet=10.40.83.0/24
>     leftsourceip=10.40.83.13

Note if you use NAT to only give them 10.40.83.13/32, you could have
done a tunnel with leftsubnet=10.40.83.13/32 as well. But perhaps
you did this so you could possibly use more than 1 IP in the future
for NATing?

Also, i don't think your leftsourceip= actually works, unless you
actually configured that IP address on your machine, which I do not
think is needed?

Paul



More information about the Swan mailing list