[strongSwan] NAT over VPN

[Will Wykeham]

I've got a local subnet with statically assigned address - 10.65.112.0/22.
One of the devices is a linux box acting as a gateway with a PPP
connection, it has a normal ethernet controller with address 10.65.112.69,
and when the PPP connection is up it has an assigned address of 10.1.20.19.

Also on the local subnet is another machine (Windows as it happens),
10.65.112.174, with gateway set to the .69 machine.

Prior to integrating the VPN, I had some normal NAT going on so that the
Windows box could communicate with the outside world, but using the
"public" IP of 10.1.20.19. A fairly standard sort of rule:
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

This worked fine - I could ping other devices on the public net directly
from the Windows box.

I've now got an IPSEC based VPN, with the following connection setup:

conn MYCONN
left=%defaultroute
leftsourceip=%config
right=10.1.40.1
rightsubnet=10.31.21.0/24
auto=add

This VPN works fine and from the Linux gateway I can ping remote devices
(10.31.21.XXX) without any problem. If I add in my NAT rule again though,
everything breaks - I can't ping from the local machine or the Windows box.
The packets go out on the PPP interface but without being encapsulated,
whether they've been locally or remotely generated.

My understanding of the iptables NAT table is that it takes place before it
gets to the xfrm lookup (
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg),
and so once the source has been rewritten to 10.1.20.19, it should get
picked up by the vpn and encapsulated, but that is clearly not what's
happening.

I've been banging my head against this for a little while now, so any help
much appreciated!

Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131122/ddd01b82/attachment.html>