[strongSwan] SNAT after decryption

Dragos Ilie dragos.ilie at bth.se
Wed Aug 26 17:01:48 CEST 2015


I would like to know if it is possible to apply SNAT to a packet after
it has been decrypted by IPsec, or if it is intentionally prevented.

The background is that we have a project where we try to run strongSwan
inside KVM virtual machines managed by OpenStack. There are two
OpenStack sites and they are connected with IPsec in tunnel mode. Each
site consists of a regular node (VM) that sends packets through another
VPN VM (the default gateway for the site) where we have strongSwan
installed. The tunnel is established and using tcpdump we can observe
that packets are decrypted on the destination VPN VM and then forwarded
to the destination node (VM).

However, the underlying OpenStack host where the VPN VM is running has
installed an iptables rule that drops outgoing packets unless they carry
the src IP address of the VPN VM. This why I would to use SNAT on the
decrypted packets (yes, I could remove the iptables rule but we would
prefer not to do that).

I have tried adding the following rule on the VPN VM in question,

iptables -t nat -D POSTROUTING -o eth0 -m policy --dir out --pol ipsec
--reqid 14 --proto esp -j SNAT --to-source

where eth0 is the interface towards the destination VM, but without any
luck. No packets are matched by the rule. I tried without -m policy,
adding the rule to the ESP interface (eth1) instead, but nothing worked.
Now I am beginning to suspect that this behavior is intentional (don't
match) and would like to have a second opinion.

Best regards,

Dr. Dragos Ilie, dragos.ilie at bth.se
Assistant Professor of Telecommunication Systems
Blekinge Institute of Technology
Department of Communication Systems
SE-371 79 Karlskrona, Sweden

Phone:   +46 455 38 58 71
E-mail:  dragos.ilie at bth.se
Web:     http://www.bth.se/com/dil

More information about the Users mailing list