[strongSwan] Strongswan / Site-Site and source - destination NAT

Mark Gordon markgne at gmail.com
Thu Aug 7 16:51:09 CEST 2014 

Hi All,

I need some advice on using NAT with strongswan in an AWS VPC.  I can the
VPN connected but I cannot ping the far host 172.16.1.52 and I am told ICMP
is open on the far end. What if anything am I missing?  Thanks in advance
for your help!

Mark

   - Strongswan Host IP  = 10.0.57.4
   - Client wants 10.0.57.4 to be translated to 192.168.11.15 when
   traversing the VPN.
   - I setup a rule in iptables that translates 10.0.57.4 to 192.168.11.15
   for all traffic destine to 172.16.1.52 (see the following rule)
   - Looking at ipsec status; I see 192.168.11.15 referenced in phase 1 and
   the phase 2 SA's are established



****IPTABLES*****

# Generated by iptables-save v1.4.12 on Wed Aug  6 22:25:42 2014
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [1:84]
:POSTROUTING ACCEPT [1:84]
-A POSTROUTING -s 10.0.57.4/32 -d 172.16.1.52/32 -j SNAT --to-source
192.168.11.15
COMMIT
# Completed on Wed Aug  6 22:25:42 2014
# Generated by iptables-save v1.4.12 on Wed Aug  6 22:25:42 2014
*filter
:INPUT ACCEPT [90:6048]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4077:485363]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Aug  6 22:25:42 2014


*****IPSEC.CONF******
config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        charonstart=yes
        plutostart=yes

# Add connections here.

conn %default
# Common Connection Parameters for all conections
        authby=secret
        keyexchange=ikev1

conn u0
        # Connection Security Parameters
        type=tunnel
        auth=esp
        ike=3des-md5-modp1024
        esp=3des-sha1-modp1024
        pfs=yes
        forceencaps=yes
        ikelifetime=28800s
        keylife=28800s
        # Left security gateway, subnet behind it, nexthop toward right.
        left=10.0.57.4
        leftid=50.80.11.5
        leftsubnet=10.0.57.4/32
        leftnexthop=%defaultroute
        # Right security gateway, subnet behind it, nexthop toward left.
        right=80.12.15.7
        rightid=80.12.15.7
        rightsubnet=172.16.1.52/32
        rightnexthop=%defaultroute
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start


*****IPSEC STATUS********
000 "u0":
192.168.11.15/32===10.0.57.4[50.80.11.5]---10.0.57.1...10.0.57.1---80.12.15.7[80.12.15.7]===172.16.1.52/32;
erouted; eroute owner: #3
000 "u0":   newest ISAKMP SA: #2; newest IPsec SA: #3;
000 #3: "u0" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28044s; newest IPSEC; eroute owner
000 #3: "u0" esp.########@80.12.15.7 (0 bytes) esp.#######@10.0.57.4 (0
bytes); tunnel
000 #2: "u0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
27803s; newest ISAKMP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140807/8438b7e3/attachment.html>

More information about the Users mailing list