I am trying to enable strongSwan (IPSec/IKEv2) on VirtualBox with Linux. VirtualBox is in network bridge mode. The output from Terminal (VirtualBox with Linux) always says: local host is behind NAT, sending keep alives.
I've added these rules on OpenWRT (etc/config/firewall), but that did not work:
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
Do I have to disable NAT on OpenWRT or are there alternatives?
Keep-alives are generally required for persistent connections through NAT, even if the firewall is open. NAT is a different process, so its timeouts need to be refreshed.
Instead of rules you should try to forward them to the host that terminates the ipsec tunnel.
Disabling NAT will definitely not work for you, only the router will have access to the internet.
To avoid NAT and use simple forwarding, the machine running strongSwan needs a public IP address of its own.
I can see these options:
IPv4: perhaps as part of a business contract, otherwise hard to get
IPv6: possible, for example with DHCPv6 prefix delegation, but the IKE peer needs IPv6 too
run strongSwan on the OpenWrt router, if it is powerful enough
replace the OpenWrt router with a VM running OpenWrt and strongSwan
If the OpenWrt router itself does not have a public IPv4 address now (for example because of carrier-grade NAT), IKE will always detect NAT at the local end when it is set up with IPv4 peers. In this case, IPv6 would be required.