<HTML><HEAD>
<META content="text/html; charset=UTF-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.17148"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hi Bryan,</DIV>
<DIV> </DIV>
<DIV>I tried it the way you said and it worked exactly as you said. Heaven knows why it didn't work previously, I must have done something stupid. Thanks for your help.</DIV>
<DIV> </DIV>
<DIV>Incidentally, the two SNAT and DNAT statements are for testing that traffic can be originated from either side of the VPN.</DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Tormod<BR><BR>>>> Bryan Duff <duff0097@gmail.com> 06/04/2015 15:47 >>><BR></DIV>
<DIV dir=ltr>If I recall correctly your step 5 is where things matter - make sure at that point (basically after nat POSTROUTING) that the traffic source/dest matches your left/rightsubnets. Don't worry about the routing decision (your step 3). You should only need one DNAT and one SNAT for your traffic.
<DIV><BR></DIV>
<DIV>-Bryan</DIV></DIV>
<DIV class=gmail_extra><BR>
<DIV class=gmail_quote>On Mon, Apr 6, 2015 at 9:36 AM, Tormod Macleod <SPAN dir=ltr><<A href="mailto:TMacleod@paywizard.com" target=_blank>TMacleod@paywizard.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hello,</DIV>
<DIV></DIV>
<DIV>I'm currently testing a site to site VPN. I need to change both the source and destination address on the left device before forwarding the packets over the VPN to the right device. I believe it all happens in the order below but I may be wrong.</DIV>
<DIV></DIV>
<DIV>1 IPTables Prerouting</DIV>
<DIV>2 Route selected</DIV>
<DIV>3 A determination is made on whether the packets should be encapsulated with IPSec</DIV>
<DIV>4 IPTables Postrouting</DIV>
<DIV>5 Packets are encapsultaed with IPSec where applicable</DIV>
<DIV>6 Packets are forwarded</DIV>
<DIV></DIV>
<DIV>I believe I have a solution but I'm not sure whether it's the best and I'd welcome some ideas...</DIV>
<DIV></DIV>
<DIV>In order to have the traffic encapsulated I had to create two child SAs on the left side. The first has the original source address and the translated destination address. This is only used in step 3. In step 4 the destination address is translated and by the time it gets to step 5 the traffic source and destination addresses match that of the second child SA which also matches the single child SA on the right side.</DIV>
<DIV></DIV>
<DIV>I'm concerned that I might run into some problems with this approach that I have not yet foreseen.</DIV>
<DIV></DIV>
<DIV>Here's my config...</DIV>
<DIV></DIV>
<DIV><FONT face="Courier New">config setup<BR># strictcrlpolicy=yes<BR># uniqueids=no</FONT></DIV>
<DIV><FONT face="Courier New"></FONT></DIV>
<DIV><FONT face="Courier New">conn %default<BR>ikelifetime=1440m<BR>keylife=60m<BR>margintime=3m<BR>keyingtries=5<BR>keyexchange=ikev2<BR>authby=secret<BR>left=10.180.0.12<BR>leftid=2.2.2.2<BR>auto=start<BR>ike=aes128-md5-modp1536<BR>esp=aes128-sha1<BR>reauth=no<BR>dpdaction=hold<BR>dpddelay=40</FONT></DIV>
<DIV><FONT face="Courier New"></FONT></DIV>
<DIV><FONT face="Courier New">conn SecurityAssociation-1<BR>leftsubnet=<A href="http://10.176.0.0/13" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.0/13</A><BR>right=3.3.3.3<BR>rightsubnet=<A href="http://192.168.0.0/16" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.0.0/16</A><BR>rightid=3.3.3.3</FONT></DIV>
<DIV><FONT face="Courier New"></FONT></DIV>
<DIV><FONT face="Courier New">conn SecurityAssociation-2<BR>leftsubnet=<A href="http://1.1.1.0/24" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 1.1.1.0/24</A><BR>right=3.3.3.3<BR>rightsubnet=<A href="http://192.168.0.0/16" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.0.0/16</A><BR>rightid=3.3.3.3</FONT></DIV>
<DIV></DIV>
<DIV></DIV>
<DIV>Here's the statusall...</DIV>
<DIV></DIV>
<DIV><FONT face="Courier New">[root@localhost ~]# /opt/strongswan522/sbin/ipsec statusall<BR>Status of IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-504.12.2.el6.x86_64, x86_64):<BR>uptime: 3 days, since Apr 03 14:47:09 2015<BR>malloc: sbrk 270336, mmap 0, used 210768, free 59568<BR>worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<BR>loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity<BR>Listening IP addresses:<BR>10.180.0.12<BR>Connections:<BR>SecurityAssociation-1: 10.180.0.12...3.3.3.3 IKEv2, dpddelay=40s<BR>SecurityAssociation-1: local: [2.2.2.2] uses pre-shared key authentication<BR>SecurityAssociation-1: remote: [3.3.3.3] uses pre-shared key authentication<BR>SecurityAssociation-1: child: <A href="http://10.176.0.0/13" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.0/13</A> === <A href="http://192.168.0.0/16" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.0.0/16</A> TUNNEL, dpdaction=hold<BR>SecurityAssociation-2: child: <A href="http://1.1.1.0/24" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 1.1.1.0/24</A> === <A href="http://192.168.0.0/16" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.0.0/16</A> TUNNEL, dpdaction=hold<BR>Security Associations (1 up, 0 connecting):<BR>SecurityAssociation-1[4]: ESTABLISHED 41 minutes ago, 10.180.0.12[2.2.2.2]...3.3.3.3[3.3.3.3]<BR>SecurityAssociation-1[4]: IKEv2 SPIs: 75498cd903d39dfa_i* 9dca56ab7071039a_r, rekeying in 23 hours<BR>SecurityAssociation-1[4]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536<BR>SecurityAssociation-2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb5e661f_i 9add0a95_o<BR>SecurityAssociation-2{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 48 minutes<BR>SecurityAssociation-2{2}: <A href="http://1.1.1.0/24" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 1.1.1.0/24</A> === <A href="http://192.168.0.0/16" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.0.0/16</A></FONT> <BR></DIV>
<DIV>And here's the IPTABLES commands I used to send traffic both ways...</DIV>
<DIV></DIV>
<DIV><FONT face="Courier New">iptables -t nat -A PREROUTING -p tcp -s <A href="http://10.176.0.10/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.10/32</A> -d <A href="http://10.180.0.12/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.180.0.12/32</A> --dport 61001 -j DNAT --to-destination <A href="http://192.168.1.1:23" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.1.1:23</A><BR>iptables -t nat -A POSTROUTING -s <A href="http://10.176.0.10/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.10/32</A> -d <A href="http://192.168.1.1/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.1.1/32</A> -j SNAT --to-source 1.1.1.2<BR>iptables -t nat -A PREROUTING -p tcp -s <A href="http://192.168.1.1/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.1.1/32</A> -d <A href="http://1.1.1.3/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 1.1.1.3/32</A> --dport 61002 -j DNAT --to-destination <A href="http://10.176.0.10:23" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.10:23</A><BR>iptables -t nat -A POSTROUTING -s <A href="http://192.168.1.1/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 192.168.1.1/32</A> -d <A href="http://10.176.0.10/32" target=_blank><FONT color=red><B>MailScanner warning: numerical links are often malicious:</B></FONT> 10.176.0.10/32</A> -j SNAT --to-source 10.180.0.12<BR></FONT></DIV>
<DIV>It's a bit convoluted but it works. I'd love to know if someone has a better idea.</DIV>
<DIV></DIV>
<DIV>Cheers,</DIV>
<DIV></DIV>
<DIV></DIV>
<DIV><FONT face="Courier New"><FONT face="Segoe UI">Tormod</FONT></FONT></DIV><BR>
<DIV>
<DIV>
<DIV><FONT color=#008000 face=Arial>Please consider the environment before printing this email</FONT><FONT face=Arial> </FONT></DIV></DIV></DIV>
<DIV><FONT face=Arial></FONT></DIV><SPAN><FONT face=Arial>********************************************************************* </FONT></SPAN><FONT face=Arial><BR><SPAN><BR>This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it.<BR><BR>If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC.<BR><BR>This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses.<BR><BR>PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<BR><BR>*******************************************************************</SPAN>*</FONT> <BR><SPAN class=HOEnZb><FONT color=#888888>-- <BR>This message has been scanned for viruses and <BR>dangerous content by <A href="http://www.mailscanner.info/" target=_blank><B>MailScanner</B></A>, and is <BR>believed to be clean. </FONT></SPAN></DIV><BR>_______________________________________________<BR>Users mailing list<BR><A href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</A><BR><A href="https://lists.strongswan.org/mailman/listinfo/users" target=_blank>https://lists.strongswan.org/mailman/listinfo/users</A><BR></BLOCKQUOTE></DIV><BR></DIV><BR>-- <BR>This message has been scanned for viruses and <BR>dangerous content by <A href="http://www.mailscanner.info/"><B>MailScanner</B></A>, and is <BR>believed to be clean. <BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</BODY></HTML>