[strongSwan] iptables rule for masquerading | MDS Ref#:00041077

Henry R. Prins HPrins at multidataservices.com
Thu Jan 24 23:48:43 CET 2013 

Noel,

The local subnets within the vpn tunnels should not need to be masqueraded.
In fact if masquerading is turned on in order for your local subnets to route out though your ISP then you need to turn off the masquerading for when you're talking to the other local subnet.

Try putting this in your iptables before the masquerade

Iptables -t nat -I POSTROUTING -s 172.16.19.0/24 -d <remote subnet> -o eth0 -j ACCEPT

And then on the other side

Iptables -t nat -I POSTROUTING -d 172.16.19.0/24 -s <remote subnet> -o eth0 -j ACCEPT

Replace <remote subnet> as required,  This is assuming of course that eth0 is Ethernet card which your ISP is located on.

Sincerely,

Henry R. Prins Jr.



-----Original Message-----
From: users-bounces+hprins=multidataservices.com at lists.strongswan.org [mailto:users-bounces+hprins=multidataservices.com at lists.strongswan.org] On Behalf Of Noel Kuntze
Sent: Thursday, January 24, 2013 5:25 PM
To: users at lists.strongswan.org
Subject: [strongSwan] iptables rule for masquerading

Hello,

I need to masquerade the traffic coming out of the tunnel with the subnet 172.16.19.0/24, but the simple rule "iptables -t nat -A POSTROUTING -s 172.16.19.0/24 -o eth0 -j MASQUERADE"
doesn't work for some reason.
It would be nice to know what I'm doing wrong here and what the correct rule would be.

Sincerely,

Noel Kuntze

config:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3
        keyexchange=ikev2
        esp=aes256-sha256
        ike=aes256-sha256-modp2048
        tfc=%mtu
        dpdaction=restart
        dpddelay=10
        dpdtimeout=60

conn home
        leftfirewall=yes
        lefthostaccess=yes
        left=<the private ip of the server>
        leftsubnet=<my private subnet>
        leftid=<my dns name>
        leftcert=strongswan.pem
        leftdns=<the private ip of the server>
        rightsourceip=172.16.19.0/24
        auto=add
        rightca=<CA DN>
        right=%any
        rightallowany=yes


_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list