[Swan] Bringing up strongSwan+Libreswan transport connection
paul at nohats.ca
Mon Sep 30 18:59:59 UTC 2019
On Mon, 30 Sep 2019, Pavel Volkov wrote:
> 1. strongSwan with public IP, acting as a server/responder.
> 2. Libreswan 3.29 behind NAT for a client.
This is fine.
> I wish to establish a transport-mode connection between the two.
Why transport mode? You are behind NAT, so libreswan can only build a
transport mode tunnel with its pre-NAT IP, which hugely complicates
things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
terrible solution often not working fully.
You should use tunnel mode.
> After I start the service (systemctl start ipsec) SAs seem to be well-formed
> on the strongSwan side and it verifies both certificates:
> $ sudo ip xfrm state
> src xxx.xxx.149.202 dst xxx.xxx.94.200
Note how this ipsec state is between two public IPs and not the pre-NAT
IP address of the libreswan end.
More information about the Swan