[strongSwan] ipsec with virtual IP/NAT
Harm Verhagen
harm at symeon.nl
Sun Nov 12 11:56:58 CET 2017
Hi,
I want to setup a configuration, of which I could find an example in the
strongswan documentation.
I want to setup a ike1 site-to-site configuration.
But A virtual IP address must be natted.
I've setup some site-to-site configurations before without NAT, all work
just fine.
Whats different here, is that we must use NAT internally (virtual IP ?).
The remote site needs to access us via a specific (virtual) ip.
site A - VPN A -------- VPN B - Site B
local network A 10.0.0.0/24
local network B 10.123.123.32/29
VPN A is an ubuntu machine with strongswan.
I'm testing now with an ubuntu machine as Site B too, but eventually
that'll be a party that I don't control, using some cisco device.
The question is about configuration of 'VPN A"
VPN A/VPN B: public ips are on the internet.
Site B needs to access a specific server in site A *10.0.0.1*
But Site B requires that he access that server as *10.137.250.112 *(the
'virtual ip', no machine has that ip)
I'd like this to achieve this with natting in VPN A. (not by adding the
10.37.250.112 as an ip/subnet in site A)
I managed to setup the tunnel correctly with the following config
# config site A
conn mycon
keyexchange=ikev1
authby=secret
auto=add
#keyingtries=%forever
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
type=tunnel
left=<public IP A>
leftsubnet=10.137.250.112/32
leftfirewall=yes
right=<public IP B>
rightsubnet=10.123.123.32/29
closeaction=restart
# config Site B
conn mycon
keyexchange=ikev1
authby=secret
auto=add
# config paramets of the remote CISCO 55010
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
type=tunnel
left=< public IP B>
leftsubnet=10.123.123.32/29
leftfirewall=yes
right=< public IP A>
rightsubnet=10.137.250.112/32
The tunnel is up just fine:
site A
Security Associations (1 up, 0 connecting):
symeon[4]: ESTABLISHED 30 minutes ago,
149.210.145.167[149.210.145.167]...176.58.118.248[176.58.118.248]
symeon-nat{6}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c47cdf98_i
c0a29f60_o
symeon-nat{6}: 10.137.250.112/32 === 10.123.123.32/29
I now want to ping host 10.0.0.1 in Site A from a machine in site B using
the virtual ip
ping 10.137.250.112
Those PING packets traverse the tunnel ok. I see them appearing in the VPN A
tcpdump on VPN A shows:
11:45:40.239138 IP 10.123.123.32 > 10.137.250.112: ICMP echo request, id
19009, seq 3768, length 64
11:45:40.239167 IP 10.123.123.32 > 10.137.250.112: ICMP echo request, id
19009, seq 3768, length 64
*iptables*
VPN A is 10.0.0.2
The machine to reach is 10.0.0.1
I added the following rule to VPN A:
iptables -t nat -A PREROUTING -p icmp -s 10.123.123.32/29 -d 10.137.250.112
-j DNAT --to-destination 10.0.0.1
iptables -t nat -A POSTROUTING -s 10.123.123.32/29 -j SNAT --to 10.0.0.2
iptables -t nat -A POSTROUTING -j MASQUERADE
This does not seem to work, I'd expect the icmp packets to be send to
10.0.0.2 with source 10.0.0.1 now (on the 10.0.0.0/24 interface)
But I keep seeing the packets on the public interface as
11:45:40.239138 IP 10.123.123.32 > 10.137.250.112: ICMP echo request, id
19009, seq 3768, length 64
11:45:40.239167 IP 10.123.123.32 > 10.137.250.112: ICMP echo request, id
19009, seq 3768, length 64
Anyone an idea how to properly configure NAT here in the machine "VPN A" ?
-Harm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171112/b05538c0/attachment.html>
More information about the Users
mailing list