[strongSwan] Make strongswan tunnel traffic coming from strange places

Thu Oct 3 17:03:35 CEST 2013

Hello guys!

We switched to strongswan half year ago and had a lot of good
experiments since then. We are about to move a bigger part of our
infrastructure to another data centre, but our VPN connections will stay
for a little more.

FYI: I have a TL;DR section at the bottom

I've done everything to route all traffic to the new location, but the
tests failed, and I assume one of the VPN hosts is the bad guy. This is
the relevant part of the architecture:

Old data center:
We have a VPN host "OLD-VPN". It has connections to mobile network
providers, let's call the remote network at the telecom side the
"SIM-NET" network. Now the OLD-VPN machine sits in the "OLD-NET"
network, where we also have a router called OLD-ROUTER.
At the moment, all the devices on the SIM-NET network try to access an
IP address that the OLD-ROUTER has, and things work fine. This a simple
site-to-site VPN setup. The only twist is, that the OLD-ROUTER has a
transparent proxy and redirects traffic to the OLD-SERVER. This also
works fine - but let me give you a quick overview of a packet from a
mobile device in SIM-NET to OLD-SERVER and back:

Step. from address -> to address (IP layer)
	from device -> to device (Ethernet layer)
	via route/link

1. mobile device -> OLD-ROUTER
	mobile device -> OLD-VPN
	via the telecom - our company VPN connection
2. mobile device -> OLD-ROUTER
	OLD-VPN -> OLD-ROUTER
	via the OLD-NET internal network
3. mobile device -> OLD-SERVER
	OLD-ROUTER -> OLD-SERVER
	via the OLD-NET internal network
NOTE: OLD-SERVER changed the destination address in the IP header

OLD-SERVER gets the package, replies:

1. OLD-SERVER -> mobile device
	OLD-SERVER -> OLD-ROUTER
	via the OLD-NET internal network
NOTE: OLD-SERVER could send the package directly to OLD-VPN, but the
route table is modified, so the OLD-ROUTER can change the source address
in the IP header
2. OLD-ROUTER -> mobile device
	OLD-ROUTER -> OLD-VPN
3. OLD-ROUTER -> mobile device
	OLD-VPN -> mobile device
	via the telecom - our company VPN connection

This works fine. The problem starts, when we try to redirect the traffic
to the NEW-SERVER on the NEW-NET network, that is connected to the
OLD-NET network via a second VPN tunnel between NEW-VPN and OLD-VPN
hosts. A packet should travel like:

1. mobile device -> OLD-ROUTER
	mobile device -> OLD-VPN
	via the telecom VPN connection
2. mobile device -> OLD-ROUTER
	OLD-VPN -> OLD-ROUTER
	via the OLD-NET network
NOTE: OLD-ROUTER got the package and rewritten the IP destination
address to NEW-SERVER
3. mobile device -> NEW-SERVER
	OLD-ROUTER -> OLD-VPN
	via the OLD-NET network
NOTE: The OLD-VPN host gets the package, and SHOULD put it in the tunnel
4. mobile device -> NEW-SERVER
	OLD-VPN -> NEW-VPN
	via the OLD data center - NEW data center VPN connection
5. mobile device -> NEW-SERVER
	NEW-VPN -> NEW-SERVER
	via the NEW-NET network

The problem is at step 3.
Test1: If a mobile device tries to access the NEW-NET network directly
(it should not do that), it can reach the NEW-SERVER - and what I see in
tcpdump is a packet from SIM-NET to NEW-NET, but the direction it comes
from is REALLY the SIM-NET network, the mobile device sends it. It works
fine. It should work, but mobile devices will never access the NEW-NET
network directly, we would not need the OLD-NET network and the
OLD-ROUTER. Just remember this: I see a packet from SIM-NET (actually
coming from there) to NEW-NET, and the connection works.
Test2: If a mobile device tries to access the OLD-SERVER on the OLD-NET,
the OLD-SERVER gets the packet, changes the destination and the packet
gets back to OLD-VPN at step 3. What I see is the same in Test1: I see a
packet from SIM-NET (but actually coming from OLD-ROUTER on the OLD-NET
network) to NEW-NET. In this case, strongswan does not grab the packet
and does not put it on the tunnel to NEW-NET.

TL;DR:

So my question is. How can I make strongswan grab a packet from SIM-NET
to NEW-NET and tunnel it, when the packet's source address is SIM-NET,
but it comes from a different (OLD-NET network) direction?

One thing I will try next week is put the OLD-NET <-> NEW-NET VPN to a
different VPN host, so the packets from SIM-NET to NEW-NET will have to
travel to the new VPN host either way - and both packets will look the
same so strongswan should grab both of them.

Thank you,

Üdvözlettel / Best regards
Gergely Horváth | gergely.horvath at inepex.com
http://inepex.com | IT Development and Location Based Services
http://inetrack.com | The customizable fleet tracking platform