[strongSwan] SNAT Packet Loss

thebass thebass at gmail.com
Fri Feb 28 18:16:55 CET 2014 

I have a pretty simple setup, with a private OpenVZ CentOS guest acting as
my VPN server and a Windows 8 laptop behind NAT as my roadwarrior.

Strongswan is configured according to:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

OpenVZ machine has 3 major interfaces:
venet0 - 127.0.0.1
venet0:0 - VPN_PUBLIC_IP
venet0:1 - VPN_PRIVATE_IP

During testing, I flush my firewall and add:
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -m policy --dir out --pol
ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source
VPN_PUBLIC_IP
sysctl -w net.ipv4.ip_forward=1

I can establish the VPN connection fine, and I can ping VPN_PUBLIC_IP and
VPN_PRIVATE_IP from roadwarrior.

However my outbound data to the Internet... the SNAT works, but I never get
a reply.

tcpdump of ping request launched by VPN server:
03:28:20.655767 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id
31238, seq 1, length 64
03:28:20.657101 IP 198.41.191.47 > VPN_PUBLIC_IP: ICMP echo reply, id
31238, seq 1, length 64
03:28:21.656533 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id
31238, seq 2, length 64
03:28:21.657896 IP 198.41.191.47 > VPN_PUBLIC_IP: ICMP echo reply, id
31238, seq 2, length 64

tcpdump of ping request launched by roadwarrior:
03:29:32.581933 IP 10.0.0.1 > 198.41.191.47: ICMP echo request, id 1, seq
79, length 40
03:29:32.582033 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 1,
seq 79, length 40
03:29:37.241501 IP 10.0.0.1 > 198.41.191.47: ICMP echo request, id 1, seq
80, length 40
03:29:37.241658 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 1,
seq 80, length 40

As you can see, the packet is rewritten, but I never get a reply. I do
notice id/seq/length are different, but I am not savvy enough to tell what
that means.

Can anyone give me any clues or insight as to what may be happening? It
looks to me like either the re-written packet is never put onto the wire,
or it is corrupted so the remote host does not reply, but again I'm in a
little over my head.

-Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140228/16b3f14a/attachment.html>

More information about the Users mailing list