[Swan] ipsec SA's up, no traffic routed? SOLVED

Paul Wouters paul at nohats.ca
Mon May 16 13:53:22 UTC 2016

On Fri, 13 May 2016, Frank wrote:

> Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
> (use this when your net ( is already present and/or NATted in their network)

thanks for the note. I did a write up for this at:


> -A POSTROUTING -s -d -o eth4 -j SNAT --to-source
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> add the NAT ip  configured in the internal, incoming firewall interface (eth1) (our network.
> ipse.conf:
> ...
> conn net1
>     also=tunnel1
>     leftsubnet=
>     leftsourceip=

Note if you use NAT to only give them, you could have
done a tunnel with leftsubnet= as well. But perhaps
you did this so you could possibly use more than 1 IP in the future
for NATing?

Also, i don't think your leftsourceip= actually works, unless you
actually configured that IP address on your machine, which I do not
think is needed?


More information about the Swan mailing list