[strongSwan] SNAT after decryption

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 26 17:25:42 CEST 2015

Hi Dragos,

have a look at our [rather more complex] SNAT example scenario where
we use XFRM_MARKS to tag the packets to be NAT-ed:


This might give you some ideas on how to solve your problem.



On 26.08.2015 17:01, Dragos Ilie wrote:
> Hi,
> I would like to know if it is possible to apply SNAT to a packet after
> it has been decrypted by IPsec, or if it is intentionally prevented.
> The background is that we have a project where we try to run strongSwan
> inside KVM virtual machines managed by OpenStack. There are two
> OpenStack sites and they are connected with IPsec in tunnel mode. Each
> site consists of a regular node (VM) that sends packets through another
> VPN VM (the default gateway for the site) where we have strongSwan
> installed. The tunnel is established and using tcpdump we can observe
> that packets are decrypted on the destination VPN VM and then forwarded
> to the destination node (VM).
> However, the underlying OpenStack host where the VPN VM is running has
> installed an iptables rule that drops outgoing packets unless they carry
> the src IP address of the VPN VM. This why I would to use SNAT on the
> decrypted packets (yes, I could remove the iptables rule but we would
> prefer not to do that).
> I have tried adding the following rule on the VPN VM in question,
> iptables -t nat -D POSTROUTING -o eth0 -m policy --dir out --pol ipsec
> --reqid 14 --proto esp -j SNAT --to-source
> where eth0 is the interface towards the destination VM, but without any
> luck. No packets are matched by the rule. I tried without -m policy,
> adding the rule to the ESP interface (eth1) instead, but nothing worked.
> Now I am beginning to suspect that this behavior is intentional (don't
> match) and would like to have a second opinion.
> Best regards,
> Dragos

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150826/54fe223c/attachment.bin>

More information about the Users mailing list