[strongSwan] iptables rule for masquerading | MDS Ref#:00041077

Noel Kuntze noel at familie-kuntze.de
Fri Jan 25 00:16:13 CET 2013 

Hello,

The connection is between  a host and a subnet and the router in the
subnet isn't capable of managing routes (even static routes aren't
possible), so I need to masquerade all the traffic coming out of the
tunnel to the subnet, but for some reason that doesn't work.
I just noticed, that vpn clients can't even access services listening on
eth0 of the vpn server. I don't know why that is happening, as the same
iptables rules apply to clients connecting via openvpn and via ipsec,
and former can access everything accordingly. The problem doesn't seem
to lie in masquerading but in something much more fundamental.

Sincerely,

Noel Kuntze

Am 24.01.2013 23:48, schrieb Henry R. Prins:
> Noel,
>
> The local subnets within the vpn tunnels should not need to be masqueraded.
> In fact if masquerading is turned on in order for your local subnets to route out though your ISP then you need to turn off the masquerading for when you're talking to the other local subnet.
>
> Try putting this in your iptables before the masquerade
>
> Iptables -t nat -I POSTROUTING -s 172.16.19.0/24 -d <remote subnet> -o eth0 -j ACCEPT
>
> And then on the other side
>
> Iptables -t nat -I POSTROUTING -d 172.16.19.0/24 -s <remote subnet> -o eth0 -j ACCEPT
>
> Replace <remote subnet> as required,  This is assuming of course that eth0 is Ethernet card which your ISP is located on.
>
> Sincerely,
>
> Henry R. Prins Jr.
>
>
>
> -----Original Message-----
> From: users-bounces+hprins=multidataservices.com at lists.strongswan.org [mailto:users-bounces+hprins=multidataservices.com at lists.strongswan.org] On Behalf Of Noel Kuntze
> Sent: Thursday, January 24, 2013 5:25 PM
> To: users at lists.strongswan.org
> Subject: [strongSwan] iptables rule for masquerading
>
> Hello,
>
> I need to masquerade the traffic coming out of the tunnel with the subnet 172.16.19.0/24, but the simple rule "iptables -t nat -A POSTROUTING -s 172.16.19.0/24 -o eth0 -j MASQUERADE"
> doesn't work for some reason.
> It would be nice to know what I'm doing wrong here and what the correct rule would be.
>
> Sincerely,
>
> Noel Kuntze
>
> config:
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=3
>         keyexchange=ikev2
>         esp=aes256-sha256
>         ike=aes256-sha256-modp2048
>         tfc=%mtu
>         dpdaction=restart
>         dpddelay=10
>         dpdtimeout=60
>
> conn home
>         leftfirewall=yes
>         lefthostaccess=yes
>         left=<the private ip of the server>
>         leftsubnet=<my private subnet>
>         leftid=<my dns name>
>         leftcert=strongswan.pem
>         leftdns=<the private ip of the server>
>         rightsourceip=172.16.19.0/24
>         auto=add
>         rightca=<CA DN>
>         right=%any
>         rightallowany=yes
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list