[Swan] ipsec SA's up, no traffic routed? SOLVED
Paul Wouters
paul at nohats.ca
Mon May 16 13:53:22 UTC 2016
On Fri, 13 May 2016, Frank wrote:
> Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
> (use this when your net (192.168.1.0/24) is already present and/or NATted in their network)
thanks for the note. I did a write up for this at:
https://libreswan.org/wiki/Subnet_to_subnet_using_NAT
> -A POSTROUTING -s 192.168.1.0/24 -d 10.260.10.0/24 -o eth4 -j SNAT --to-source 10.40.83.13
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>
> add the NAT ip configured in the internal, incoming firewall interface (eth1) (our 192.168.1.0/24 network.
> 10.40.83.13/32
>
> ipse.conf:
> ...
> conn net1
> also=tunnel1
> leftsubnet=10.40.83.0/24
> leftsourceip=10.40.83.13
Note if you use NAT to only give them 10.40.83.13/32, you could have
done a tunnel with leftsubnet=10.40.83.13/32 as well. But perhaps
you did this so you could possibly use more than 1 IP in the future
for NATing?
Also, i don't think your leftsourceip= actually works, unless you
actually configured that IP address on your machine, which I do not
think is needed?
Paul
More information about the Swan
mailing list