TCPDUMP

moon# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &

PRE-TEST

alice# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

bob# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

moon# echo 1 > /proc/sys/net/ipv4/ip_forward

sun# echo 1 > /proc/sys/net/ipv4/ip_forward

moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source 192.168.0.1:1024-1100

moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source 192.168.0.1:2000-2100

sun# iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source 192.168.0.2:2000-2100

sun# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.1 -p udp -j DNAT --to-destination 10.2.0.10

alice# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist

bob# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist

alice# sleep 2

alice# ipsec up nat-t
initiating IKE_SA nat-t[1] to 192.168.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.1.0.10[500] to 192.168.0.2[500]
received packet: from 192.168.0.2[500] to 10.1.0.10[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'alice@strongswan.org' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org"
establishing CHILD_SA nat-t
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500]
received packet: from 192.168.0.2[4500] to 10.1.0.10[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=bob@strongswan.org"
  using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=bob@strongswan.org"
  using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=bob@strongswan.org"
  fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl is valid: until Jun 30 17:25:59 2012
certificate status is good
  reached self-signed root ca with a path length of 0
authentication of 'bob@strongswan.org' with RSA signature successful
IKE_SA nat-t[1] established between 10.1.0.10[alice@strongswan.org]...192.168.0.2[bob@strongswan.org]
scheduling reauthentication in 3312s
maximum IKE_SA lifetime 3492s
No leaks detected, 1 suppressed by whitelist

alice# sleep 1


TEST

alice# ipsec statusall | grep 'nat-t.*INSTALLED' [YES]
No leaks detected, 1 suppressed by whitelist
       nat-t{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cbb2ae65_i c930bf81_o

bob# ipsec statusall | grep 'nat-t.*INSTALLED' [YES]
No leaks detected, 1 suppressed by whitelist
       nat-t{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c930bf81_i cbb2ae65_o

alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=64 time=0.996 ms

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP' [YES]
20:44:54.015346 IP moon.strongswan.org.1026 > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xc930bf81,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP' [YES]
20:44:54.015981 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.1026: UDP-encap: ESP(spi=0xcbb2ae65,seq=0x1), length 132


POST-TEST

bob# ipsec stop
Stopping strongSwan IPsec...

alice# ipsec stop
Stopping strongSwan IPsec...

alice# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

bob# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

moon# iptables -t nat -F

sun# iptables -t nat -F

moon# conntrack -F

sun# conntrack -F