[strongSwan] trouble with ARP and NAT on EC2-hosted network
ethan at ethantuttle.com
Tue Jun 18 09:17:34 CEST 2013
Hi, I've been working with strongswan 5.0.4 to set up tunnels from
racoon/OSX to a network hosted in Amazon's EC2. I'm having some trouble
with farp and NAT. The layout is:
Road warrior (behind NAT) --- internet --- EC2 Gateway (strongswan) ---
internal EC2 net
I followed the guides and have tunnels coming up, auth and SA establishment
works fine, and I can ping back and forth from gateway to road warrior.
I'm using IKEv1 with xauth+rsa. Road warrior is assigned a virtual IP on
the "internal EC2" net which is a /24 subnet. leftfirewall=yes is in
strongswan and leftsubnet is the /24 EC2 net. ip_forward is enabled on the
First problem: farp doesn't appear to be advertising road warrior IPs on
the internal EC2 net. When I ping from a host on that net to a road
warrior, I get Destination Host Unreachable. Strongswan was built with
--enable-farp. The arp command on gateway does not show entries for the
virtual IPs. Any clues on how to debug this?
Second problem: SNAT on the gateway doesn't work for traffic coming from
road warriors. All of my tables are set to ACCEPT, and I added two rules
to nat POSTROUTING:
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
29 4242 ACCEPT all -- any eth0 172.30.170.0/24
anywhere policy match dir out pol ipsec
119 9384 SNAT all -- any eth0 172.30.170.0/24
The strongswan box's internal address is .5, and its default route is .1 on
the same subnet, a gateway which ec2 provides. The .1 gateway only
forwards traffic originating from the .5 address. So the strongswan box
must SNAT packets coming over ipsec before forwarding to the .1 gateway.
Strangely, the SNAT rule seems to match packets (counter goes up), but
watching the outgoing traffic with tcpdump, it still has the roadwarrior
source IP when it leaves eth0. I also noticed the same SNAT rule works for
traffic coming from hosts on the internal EC2 net routing through the
strongswan gateway. So there's something special about traffic originating
from ipsec. Are additional iptables rules required?
Thanks for the excellent software and documentation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users