[strongSwan] masquerade tunneled traffic

Miroslav Svoboda goodmirek at goodmirek.cz
Wed Apr 29 07:44:42 CEST 2015


Hello,

In my environment it works this way (tailored for your IP ranges):
iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -d 10.2.0.0 -j RETURN
-A POSTROUTING -s 10.0.0.0/24 ! -d 1.1.1.0/24 -o eth0 -j MASQUERADE

I do not want traffic from the client to get masqueraded within server's 
internal subnet.

Also please note that strongSwan also install additional routing table 
number 220.
ip route show table 220
However, I assume you don't have any problem with routing and you can ping 
from subnet 10.0.0.0/24 to subnet 10.2.0.0/24.

BR,
Miroslav

On Monday, April 27, 2015 at 6:26:45 PM UTC+2, ch+str... at henniger.info 
wrote:
>
> Hello,
>
> Hoping someone can help me:
>
> With the following LAN-LAN Setup 
> Server 10.2.0.0/24 - 1.1.1.1 --- 2.2.2.2 - 10.0.0.0/24 Client
>
> I try to route the whole traffic from client through the server with 
> masqueraded traffic to the public net.
>
> tcpdump on server shows the traffic is routed but not masquerade. 
> (example from host (10.0.0.110) inside client net to public ip (
> www.heise.de))
>
> 17:45:47.871219 IP 10.0.0.110 > www.heise.de: ICMP echo request, id 
> 20758, seq 6, length 64
>
> Thank you in advance for any advice.
>
> Chris
>
>
> My Configuration:
>
> Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 
> GNU/Linux
> StrongSwan 5.2.1-6
>
> # cat /etc/ipsec.conf
> ---
> config setup
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         keyexchange=ike
>         mobike=no
>
> conn divinus
>         left=1.1.1.1
>         leftsubnet=0.0.0.0/0
>         right=%any
>         rightsubnet=10.0.0.0/24
>         auto=add
> ---
>
>
> # ip xfrm policy 
> ---                       
> src 10.0.0.0/24 dst 10.2.0.0/24 
>         dir fwd priority 2883 ptype main 
>         tmpl src 2.2.2.2 dst 1.1.1.1
>                 proto esp reqid 1 mode tunnel
> src 10.0.0.0/24 dst 10.2.0.0/24 
>         dir in priority 2883 ptype main 
>         tmpl src 2.2.2.2 dst 1.1.1.1
>                 proto esp reqid 1 mode tunnel
> src 10.2.0.0/24 dst 10.0.0.0/24 
>         dir out priority 2883 ptype main 
>         tmpl src 1.1.1.1 dst 2.2.2.2
>                 proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0 
>         socket in priority 0 ptype main 
> src 0.0.0.0/0 dst 0.0.0.0/0 
>         socket out priority 0 ptype main 
> src 0.0.0.0/0 dst 0.0.0.0/0 
>         socket in priority 0 ptype main 
> src 0.0.0.0/0 dst 0.0.0.0/0 
>         socket out priority 0 ptype main 
> src ::/0 dst ::/0 
>         socket in priority 0 ptype main 
> src ::/0 dst ::/0 
>         socket out priority 0 ptype main 
> src ::/0 dst ::/0 
>         socket in priority 0 ptype main 
> src ::/0 dst ::/0 
>         socket out priority 0 ptype main
>
>
>
> # route
> Kernel-IP-Routentabelle
> Ziel            Router          Genmask         Flags Metric Ref    Use 
> Iface
> default         1.1.1.1         0.0.0.0         UG    0      0        0 
> eth0
> 10.2.0.0        *               255.255.255.0   U     0      0        0 
> eth0
> 1.1.1.0         1.1.1.1         255.255.255.0   UG    0      0        0 
> eth0
> 1.1.1.0         *               255.255.255.0   U     0      0        0 
> eth0
>
>
>
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
>
>
> # iptables -L -v
> ---
> Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>
> Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> ---
>
>
> # iptables -t nat -L -v
> ---
> Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>
> Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>
> Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>
> Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
>     0     0 ACCEPT     all  --  any    eth0    anywhere            !
> 10.0.0.0/24          policy match dir out pol ipsec
>     0     0 LOG        all  --  any    eth0    anywhere            !
> 10.0.0.0/24          policy match dir out pol ipsec LOG level warning
>  1709  121K MASQUERADE  all  --  any    eth0    anywhere            !
> 10.0.0.0/24
> ---
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150428/577eef2b/attachment-0001.html>


More information about the Users mailing list