iptables -t nat -F ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -F ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# # NAT ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -t nat -A POSTROUTING -s 192.1.3.0/24 -p udp --sport 4500 -j SNAT --to-source 192.1.2.254:3500-3700 ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -t nat -A POSTROUTING -s 192.1.3.0/24 -p udp --sport 500 -j SNAT --to-source 192.1.2.254:2500-2700 ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -t nat -A POSTROUTING --source 192.1.3.0/24 --destination 0.0.0.0/0 -j SNAT --to-source 192.1.2.254 ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# # make sure that we never acidentially let ESP through. ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# # ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -I FORWARD 1 --proto 50 -j DROP ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -I FORWARD 2 --destination 192.0.2.0/24 -j DROP ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -I FORWARD 3 --source 192.0.2.0/24 -j DROP ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# # route ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -I INPUT 1 --destination 192.0.2.0/24 -j DROP ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# # Display the table, so we know it is correct. ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT udp -- 192.1.3.0/24 0.0.0.0/0 udp spt:4500 to:192.1.2.254:3500-3700 SNAT udp -- 192.1.3.0/24 0.0.0.0/0 udp spt:500 to:192.1.2.254:2500-2700 SNAT all -- 192.1.3.0/24 0.0.0.0/0 to:192.1.2.254 ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 0.0.0.0/0 192.0.2.0/24 Chain FORWARD (policy ACCEPT) target prot opt source destination DROP esp -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 192.0.2.0/24 DROP all -- 192.0.2.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# echo "initdone" initdone ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# : ==== end ==== ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# ../../pluto/bin/ipsec-look.sh ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# : ==== cut ==== ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder]# ipsec auto --status whack: Pluto is not running (no "/run/pluto/pluto.ctl") ]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-ikeport-05-rw-nat-responder[root@nic ikev2-ikeport-05-rw-nat-responder 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi' <<<<<<<<<>>>>>>>>>cut>>>>>>>>>> done <<<<<<<<<