[strongSwan] trouble with ARP and NAT on EC2-hosted network

Ethan Tuttle ethan at ethantuttle.com
Tue Jun 18 09:17:34 CEST 2013

Hi, I've been working with strongswan 5.0.4 to set up tunnels from
racoon/OSX to a network hosted in Amazon's EC2.  I'm having some trouble
with farp and NAT.  The layout is:

Road warrior (behind NAT) --- internet --- EC2 Gateway (strongswan) ---
internal EC2 net

I followed the guides and have tunnels coming up, auth and SA establishment
works fine, and I can ping back and forth from gateway to road warrior.
 I'm using IKEv1 with xauth+rsa.  Road warrior is assigned a virtual IP on
the "internal EC2" net which is a /24 subnet.  leftfirewall=yes is in
strongswan and leftsubnet is the /24 EC2 net.  ip_forward is enabled on the

First problem: farp doesn't appear to be advertising road warrior IPs on
the internal EC2 net.  When I ping from a host on that net to a road
warrior, I get Destination Host Unreachable.  Strongswan was built with
--enable-farp.  The arp command on gateway does not show entries for the
virtual IPs.  Any clues on how to debug this?

Second problem: SNAT on the gateway doesn't work for traffic coming from
road warriors.  All of my tables are set to ACCEPT, and I added two rules

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
   29  4242 ACCEPT     all  --  any    eth0
 anywhere             policy match dir out pol ipsec
  119  9384 SNAT       all  --  any    eth0
 anywhere             to:

The strongswan box's internal address is .5, and its default route is .1 on
the same subnet, a gateway which ec2 provides.  The .1 gateway only
forwards traffic originating from the .5 address.  So the strongswan box
must SNAT packets coming over ipsec before forwarding to the .1 gateway.
 Strangely, the SNAT rule seems to match packets (counter goes up), but
watching the outgoing traffic with tcpdump, it still has the roadwarrior
source IP when it leaves eth0.  I also noticed the same SNAT rule works for
traffic coming from hosts on the internal EC2 net routing through the
strongswan gateway.  So there's something special about traffic originating
from ipsec.  Are additional iptables rules required?

Thanks for the excellent software and documentation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130618/53f357f3/attachment.html>

More information about the Users mailing list