[Swan] NATD IP different than configured IP

Craig Marker cmarker at inspeednetworks.com
Mon Aug 27 20:09:42 UTC 2018


Is this the ipsec status output you’re looking for? This is from the client machine.

+ ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1.2.3.4 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface enp3s0/enp3s0 4.3.2.1 at 4500
000 interface enp3s0/enp3s0 4.3.2.1 at 500
000 interface enp7s0/enp7s0 1.2.3.4 at 4500
000 interface enp7s0/enp7s0 1.2.3.4 at 500
000 interface enp7s0:1/enp7s0:1 2.2.3.4 at 4500
000 interface enp7s0:1/enp7s0:1 2.2.3.4 at 500
000 interface enp10s0/enp10s0 10.10.20.254 at 4500
000 interface enp10s0/enp10s0 10.10.20.254 at 500

> On Aug 27, 2018, at 1:05 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Mon, 27 Aug 2018, Craig Marker wrote:
> 
>> I recently experienced an issue where a SA was established even though the new NAT mapping (the NATD source IP) was a different IP address than what was configured
>> in my ipsec.conf file. Is this expected? Is there something I’m doing in my configuration files to allow this? Could this be a bug?
> 
> I don't think that is possible. Is the other IP a valid IP on your
> machine? does it show up at the first bit of "ipsec status" ?
> 
> Paul



More information about the Swan mailing list