PRE-TEST

alice# iptables-restore < /etc/iptables.rules

venus# iptables-restore < /etc/iptables.rules

sun# iptables-restore < /etc/iptables.rules

moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source 192.168.0.1:1024-1100

moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source 192.168.0.1:2000-2100

sun# ipsec start
Starting strongSwan 6.0.1 IPsec [starter]...

alice# ipsec start
Starting strongSwan 6.0.1 IPsec [starter]...

venus# ipsec start
Starting strongSwan 6.0.1 IPsec [starter]...

sun# expect-connection nat-t

alice# expect-connection nat-t

alice# ipsec up nat-t
initiating IKE_SA nat-t[1] to 192.168.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.1.0.10[500] to 192.168.0.2[500] (924 bytes)
received packet: from 192.168.0.2[500] to 10.1.0.10[500] (305 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
authentication of 'alice@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org"
establishing CHILD_SA nat-t{1}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (2016 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (1236 bytes)
sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (852 bytes)
received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (676 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1840 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using certificate "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  reached self-signed root ca with a path length of 0
checking certificate status of "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl is valid: until Mar 25 18:47:43 2025
certificate status is good
authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
peer supports MOBIKE
IKE_SA nat-t[1] established between 10.1.0.10[alice@strongswan.org]...192.168.0.2[sun.strongswan.org]
scheduling reauthentication in 3369s
maximum IKE_SA lifetime 3549s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA nat-t{1} established with SPIs cfd888b0_i c2a00e98_o and TS 10.1.0.10/32 === 10.2.0.0/16
connection 'nat-t' established successfully

venus# expect-connection nat-t

venus# ipsec up nat-t
initiating IKE_SA nat-t[1] to 192.168.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.1.0.20[500] to 192.168.0.2[500] (924 bytes)
received packet: from 192.168.0.2[500] to 10.1.0.20[500] (305 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
authentication of 'venus.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "C=CH, O=strongSwan Project, CN=venus.strongswan.org"
establishing CHILD_SA nat-t{1}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (2000 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 10.1.0.20[4500] to 192.168.0.2[4500] (1236 bytes)
sending packet: from 10.1.0.20[4500] to 192.168.0.2[4500] (836 bytes)
received packet: from 192.168.0.2[4500] to 10.1.0.20[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 192.168.0.2[4500] to 10.1.0.20[4500] (676 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1840 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using certificate "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  reached self-signed root ca with a path length of 0
checking certificate status of "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl is valid: until Mar 25 18:47:43 2025
certificate status is good
authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
peer supports MOBIKE
IKE_SA nat-t[1] established between 10.1.0.20[venus.strongswan.org]...192.168.0.2[sun.strongswan.org]
scheduling reauthentication in 3341s
maximum IKE_SA lifetime 3521s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA nat-t{1} established with SPIs ce95a3fd_i c6a9ee37_o and TS 10.1.0.20/32 === 10.2.0.0/16
connection 'nat-t' established successfully


TEST

alice# ipsec status 2> /dev/null | grep 'nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org' [YES]
       nat-t[1]: ESTABLISHED 0 seconds ago, 10.1.0.10[alice@strongswan.org]...192.168.0.2[sun.strongswan.org]

venus# ipsec status 2> /dev/null | grep 'nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org' [YES]
       nat-t[1]: ESTABLISHED 0 seconds ago, 10.1.0.20[venus.strongswan.org]...192.168.0.2[sun.strongswan.org]

sun# ipsec status 2> /dev/null | grep 'nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org' [YES]
       nat-t[1]: ESTABLISHED 1 second ago, 192.168.0.2[sun.strongswan.org]...192.168.0.1[alice@strongswan.org]

sun# ipsec status 2> /dev/null | grep 'nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org' [YES]
       nat-t[2]: ESTABLISHED 1 second ago, 192.168.0.2[sun.strongswan.org]...192.168.0.1[venus.strongswan.org]

alice# ipsec status 2> /dev/null | grep 'nat-t.*INSTALLED, TUNNEL' [YES]
       nat-t{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cfd888b0_i c2a00e98_o

venus# ipsec status 2> /dev/null | grep 'nat-t.*INSTALLED, TUNNEL' [YES]
       nat-t{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce95a3fd_i c6a9ee37_o

sun# ipsec status 2> /dev/null | grep 'nat-t[{]1}.*INSTALLED, TUNNEL' [YES]
       nat-t{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2a00e98_i cfd888b0_o

sun# ipsec status 2> /dev/null | grep 'nat-t[{]2}.*INSTALLED, TUNNEL' [YES]
       nat-t{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c6a9ee37_i ce95a3fd_o

alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_.eq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 time=1.85 ms

venus# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_.eq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 time=1.84 ms

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP' [YES]
19:48:42.884112 IP moon.strongswan.org.1057 > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xc2a00e98,seq=0x1), length 132
19:48:42.917598 IP moon.strongswan.org.1054 > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xc6a9ee37,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP' [YES]
19:48:42.885343 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.1057: UDP-encap: ESP(spi=0xcfd888b0,seq=0x1), length 132
19:48:42.918786 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.1054: UDP-encap: ESP(spi=0xce95a3fd,seq=0x1), length 132


POST-TEST

sun# ipsec stop
Stopping strongSwan IPsec...

alice# ipsec stop
Stopping strongSwan IPsec...

venus# ipsec stop
Stopping strongSwan IPsec...

alice# iptables-restore < /etc/iptables.flush

venus# iptables-restore < /etc/iptables.flush

sun# iptables-restore < /etc/iptables.flush

moon# iptables -t nat -F