On Mon, 30 Sep 2019, Pavel Volkov wrote:
1. strongSwan with public IP, acting as a server/responder.
2. Libreswan 3.29 behind NAT for a client.
This is fine.
I wish to establish a transport-mode connection between the two.
Why transport mode? You are behind NAT, so libreswan can only build a
transport mode tunnel with its pre-NAT IP, which hugely complicates
things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
terrible solution often not working fully.
You should use tunnel mode.
After I start the service (systemctl start ipsec) SAs seem to be well-formed
on the strongSwan side and it verifies both certificates:
$ sudo ip xfrm state
src xxx.xxx.149.202 dst xxx.xxx.94.200
Note how this ipsec state is between two public IPs and not the pre-NAT
IP address of the libreswan end.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
