<div dir="ltr">My scenario is VMs behind the roadwarrior(carol) reaching gateway(moon)'s subnets (alice).<div><br></div><div>1. carol to moon subnets - this works correctly as a point2site network.<br></div><div><br></div><div>2. carol - has a KVM libvirt <a href="http://192.168.122.0/24">192.168.122.0/24</a> network totally unknown to moon. I want these VMs to reach the subnets behind moon by carol being a VPN/NAT. To my surprise:</div><div><br></div><div>a. this works by SNAT of 192.168.122.x in POSTROUTING to carol's leftip</div><div><br></div><div>b. why is this surprising: I thought table 220 would intercept these packets as well ("from all"), change the source to leftip, no connection tracking, and therefore the return packets would fail.</div><div><br></div><div>However, what happened was that packets from <a href="http://192.168.122.0/24">192.168.122.0/24</a> to moon, skipped table 220, giving me a chance to SNAT in POSTROUTING and it works!</div><div><br></div><div><div>3. Now ip rule 220 looks like a "from all" rule so I'm curious why didn't forwarded packets from carol libvirt <a href="http://192.168.122.0/24">192.168.122.0/24</a> didn't get affected by the policy.</div><div><br></div><div>I.e.</div><div><br></div><div>192.168.122.2 (VM) --- carol(roadwarrior, leftip=10.1.1.1) ---- moon(gateway) --- alice 10.1.2.1</div><div><br></div><div>* carol can reach alice</div><div>* moon: does not know about <a href="http://192.168.122.0/24">192.168.122.0/24</a></div><div><br></div><div>Expected: 192.168.122.2 to 10.1.2.1 to fail because <a href="http://192.168.122.0/24">192.168.122.0/24</a> would be "ip rule 220"-ed and changed to 10.1.1.1, and carol has no connection tracking for this packet.</div><div><br></div><div>Observed: 192.168.122.x to 10.1.2.1, skips table 220, reaches POSTROUTING, and can be SNAT</div><div> to 10.1.1.1 (and everything works).</div><div><br></div><div>Sorry, if I was not clear earlier. I meant, I didn't expect subnets behind the roadwarrior to be able to make it moon.</div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 6, 2016 at 10:10 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Richard,<br>
<br>
the table 220 source IP routing rule applies to packets originating<br>
from the VPN gateway itself, only . If you want roadwarriors from a<br>
subnet behind the GW to assume this address then you have to NAT them<br>
to the GW's address. Since the table 220 rule usually maps the GW's<br>
source address to the local interface on the subnet I don't see<br>
the sense of the roadwarriors belonging to this subnet to assume<br>
the gateway's internal address.<br>
<br>
Regards<br>
<br>
Andreas<span class=""><br>
<br>
On 05.11.2016 18:01, Richard Chan wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi, in the roadwarrior configuration, from a conceptual point of view,<br>
why doesn't table 220 change the source IP address of forwarded packets<br>
(say the roadwarrior has a subnet behind it)?<br>
<br>
# ip ro sho table 220<br>
</span><a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> <<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a>> via 192.168.1.1 dev eth0 proto static<span class=""><br>
src 10.2.0.3<br>
<br>
# ip rule show<br>
0: from all lookup local<br>
220: from all lookup 220<br>
32766: from all lookup main<br>
32767: from all lookup default<br>
<br></span>
roadwarrior has a separate subnet <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a>><span class=""><br>
and is forwarding/NAT'ing packets. When I ping a host on the central<br>
site LAN<br>
<br>
- OUTPUT chain sees the source IP address as 10.2.0.3 (table 220 is<br>
working!)<br>
- FORWARD chain sees the source IP address as 192.168.2.X (host cannot<br>
be reached until these packets are SNAT'ed to 10.2.0.3)<br>
<br>
</span></blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Richard Chan<br>
</blockquote>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">Richard Chan</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">Chief Architect</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px"><br></span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">TreeBox Solutions Pte Ltd</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">1 Commonwealth Lane #03-01</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">Singapore 149544</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px">Tel: 6570 3725</span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px"><a href="http://www.treeboxsolutions.com" target="_blank">http://www.treeboxsolutions.com</a></span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px"><br></span></font></div><div dir="ltr"><font color="#000000" face="Droid Sans"><span style="font-size:15px"><a href="http://Co.Reg.No" target="_blank">Co.Reg.No</a>. 201100585R<span style="white-space:pre"> </span></span></font></div></div></div></div></div>
</div>