<div dir="ltr"><div>Hi All,</div><div><br></div><div>I need some advice on using NAT with strongswan in an AWS VPC. I can the VPN connected but I cannot ping the far host 172.16.1.52 and I am told ICMP is open on the far end. What if anything am I missing? Thanks in advance for your help!</div>
<div><br></div><div>Mark</div><div><ul><li>Strongswan Host IP = 10.0.57.4<br></li><li>Client wants 10.0.57.4 to be translated to 192.168.11.15 when traversing the VPN. <br></li><li>I setup a rule in iptables that translates 10.0.57.4 to 192.168.11.15 for all traffic destine to 172.16.1.52 (see the following rule)<br>
</li><li>Looking at ipsec status; I see 192.168.11.15 referenced in phase 1 and the phase 2 SA's are established</li></ul></div><div><br></div><div><br></div><div>****IPTABLES*****</div><div><div><br></div><div><div>
# Generated by iptables-save v1.4.12 on Wed Aug 6 22:25:42 2014</div>
<div>*nat</div><div>:PREROUTING ACCEPT [1:60]</div><div>:INPUT ACCEPT [1:60]</div><div>:OUTPUT ACCEPT [1:84]</div><div>:POSTROUTING ACCEPT [1:84]</div><div>-A POSTROUTING -s <a href="http://10.0.57.4/32">10.0.57.4/32</a> -d <a href="http://172.16.1.52/32">172.16.1.52/32</a> -j SNAT --to-source 192.168.11.15</div>
<div>COMMIT</div><div># Completed on Wed Aug 6 22:25:42 2014</div><div># Generated by iptables-save v1.4.12 on Wed Aug 6 22:25:42 2014</div><div>*filter</div><div>:INPUT ACCEPT [90:6048]</div><div>:FORWARD ACCEPT [0:0]</div>
<div>:OUTPUT ACCEPT [4077:485363]</div><div>-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div><div>COMMIT</div><div># Completed on Wed Aug 6 22:25:42 2014</div></div><div><br></div><div><br></div><div>*****IPSEC.CONF******</div>
<div>config setup</div><div> # plutodebug=all</div><div> # crlcheckinterval=600</div><div> # strictcrlpolicy=yes</div><div> # cachecrls=yes</div><div> charonstart=yes</div><div> plutostart=yes</div>
<div><br></div><div># Add connections here.</div><div><br></div><div>conn %default</div><div><span class="" style="white-space:pre"> </span># Common Connection Parameters for all conections</div><div> authby=secret</div>
<div> keyexchange=ikev1</div></div><div><br></div><div><div>conn u0</div><div> # Connection Security Parameters</div><div> type=tunnel</div><div> auth=esp</div><div> ike=3des-md5-modp1024</div>
<div> esp=3des-sha1-modp1024</div><div> pfs=yes</div><div> forceencaps=yes</div><div> ikelifetime=28800s</div><div> keylife=28800s</div><div> # Left security gateway, subnet behind it, nexthop toward right.</div>
<div> left=10.0.57.4</div><div> leftid=50.80.11.5</div><div> leftsubnet=<a href="http://10.0.57.4/32">10.0.57.4/32</a></div><div> leftnexthop=%defaultroute</div><div> # Right security gateway, subnet behind it, nexthop toward left.</div>
<div> right=80.12.15.7</div><div> rightid=80.12.15.7</div><div> rightsubnet=<a href="http://172.16.1.52/32">172.16.1.52/32</a></div><div> rightnexthop=%defaultroute</div><div> # To authorize this connection, but not actually start it,</div>
<div> # at startup, uncomment this.</div><div> auto=start</div></div><div><br></div><div><br></div><div>*****IPSEC STATUS********</div><div><div>000 "u0": <a href="http://192.168.11.15/32===10.0.57.4[50.80.11.5]---10.0.57.1...10.0.57.1---80.12.15.7[80.12.15.7]===172.16.1.52/32">192.168.11.15/32===10.0.57.4[50.80.11.5]---10.0.57.1...10.0.57.1---80.12.15.7[80.12.15.7]===172.16.1.52/32</a>; erouted; eroute owner: #3</div>
<div>000 "u0": newest ISAKMP SA: #2; newest IPsec SA: #3; </div></div><div><div>000 #3: "u0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28044s; newest IPSEC; eroute owner</div>
<div>000 #3: "u0" esp.########@<a href="http://80.12.15.7">80.12.15.7</a> (0 bytes) esp.#######@<a href="http://10.0.57.4">10.0.57.4</a> (0 bytes); tunnel</div><div>000 #2: "u0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27803s; newest ISAKMP</div>
</div><div><br></div></div>