[Swan] Bringing up strongSwan+Libreswan transport connection

Paul Wouters paul at nohats.ca
Mon Sep 30 18:59:59 UTC 2019

On Mon, 30 Sep 2019, Pavel Volkov wrote:

> 1. strongSwan with public IP, acting as a server/responder.
> 2. Libreswan 3.29 behind NAT for a client.

This is fine.

> I wish to establish a transport-mode connection between the two.

Why transport mode? You are behind NAT, so libreswan can only build a
transport mode tunnel with its pre-NAT IP, which hugely complicates
things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
terrible solution often not working fully.

You should use tunnel mode.

> After I start the service (systemctl start ipsec) SAs seem to be well-formed 
> on the strongSwan side and it verifies both certificates:
> $ sudo ip xfrm state
> src xxx.xxx.149.202 dst xxx.xxx.94.200

Note how this ipsec state is between two public IPs and not the pre-NAT
IP address of the libreswan end.


More information about the Swan mailing list