I've got a local subnet with statically assigned address - 10.65.112.0/22. One of the devices is a linux box acting as a gateway with a PPP connection, it has a normal ethernet controller with address 10.65.112.69, and when the PPP connection is up it has an assigned address of 10.1.20.19.
Also on the local subnet is another machine (Windows as it happens), 10.65.112.174, with gateway set to the .69 machine. Prior to integrating the VPN, I had some normal NAT going on so that the Windows box could communicate with the outside world, but using the "public" IP of 10.1.20.19. A fairly standard sort of rule: iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE This worked fine - I could ping other devices on the public net directly from the Windows box. I've now got an IPSEC based VPN, with the following connection setup: conn MYCONN left=%defaultroute leftsourceip=%config right=10.1.40.1 rightsubnet=10.31.21.0/24 auto=add This VPN works fine and from the Linux gateway I can ping remote devices (10.31.21.XXX) without any problem. If I add in my NAT rule again though, everything breaks - I can't ping from the local machine or the Windows box. The packets go out on the PPP interface but without being encapsulated, whether they've been locally or remotely generated. My understanding of the iptables NAT table is that it takes place before it gets to the xfrm lookup ( http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg), and so once the source has been rewritten to 10.1.20.19, it should get picked up by the vpn and encapsulated, but that is clearly not what's happening. I've been banging my head against this for a little while now, so any help much appreciated! Will
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users