[strongSwan] ipsec with virtual IP/NAT
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Nov 12 16:26:43 CET 2017
Hi,
Your assumption is wrong. tcpdump captures packets before any firewall rules are applied.
Look at the diagram[1].
Anyway, your configuration is flawed. Use auto=route and avoid sha256. It's implementations differ between vendors.
Kind regards
Noel
[1] inai.de/images/nf-packet-flow.png
On 12.11.2017 11:56, Harm Verhagen wrote:
> Hi,
>
> I want to setup a configuration, of which I could find an example in the strongswan documentation.
>
>
>
>
> I want to setup a ike1 site-to-site configuration.
> But A virtual IP address must be natted.
>
>
> I've setup some site-to-site configurations before without NAT, all work just fine.
> Whats different here, is that we must use NAT internally (virtual IP ?). The remote site needs to access us via a specific (virtual) ip.
>
>
> site A - VPN A -------- VPN B - Site B
>
>
> local network A 10.0.0.0/24 <http://10.0.0.0/24>
> local network B 10.123.123.32/29 <http://10.123.123.32/29>
>
> VPN A is an ubuntu machine with strongswan.
> I'm testing now with an ubuntu machine as Site B too, but eventually that'll be a party that I don't control, using some cisco device.
> The question is about configuration of 'VPN A"
> VPN A/VPN B: public ips are on the internet.
>
>
> Site B needs to access a specific server in site A *10.0.0.1*
> But Site B requires that he access that server as *10.137.250.112 *(the 'virtual ip', no machine has that ip)
>
> I'd like this to achieve this with natting in VPN A. (not by adding the 10.37.250.112 as an ip/subnet in site A)
>
>
> I managed to setup the tunnel correctly with the following config
>
> # config site A
> conn mycon
> keyexchange=ikev1
> authby=secret
> auto=add
> #keyingtries=%forever
> ike=aes256-sha256-modp2048
> esp=aes256-sha256-modp2048
> type=tunnel
> left=<public IP A>
> leftsubnet=10.137.250.112/32 <http://10.137.250.112/32>
> leftfirewall=yes
> right=<public IP B>
> rightsubnet=10.123.123.32/29 <http://10.123.123.32/29>
>
> closeaction=restart
>
>
> # config Site B
> conn mycon
> keyexchange=ikev1
> authby=secret
> auto=add
> # config paramets of the remote CISCO 55010
> ike=aes256-sha256-modp2048
> esp=aes256-sha256-modp2048
> type=tunnel
> left=< public IP B>
> leftsubnet=10.123.123.32/29 <http://10.123.123.32/29>
> leftfirewall=yes
> right=< public IP A>
> rightsubnet=10.137.250.112/32 <http://10.137.250.112/32>
>
>
> The tunnel is up just fine:
> site A
> Security Associations (1 up, 0 connecting):
> symeon[4]: ESTABLISHED 30 minutes ago, 149.210.145.167[149.210.145.167]...176.58.118.248[176.58.118.248]
> symeon-nat{6}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c47cdf98_i c0a29f60_o
> symeon-nat{6}: 10.137.250.112/32 <http://10.137.250.112/32> === 10.123.123.32/29 <http://10.123.123.32/29>
>
>
> I now want to ping host 10.0.0.1 in Site A from a machine in site B using the virtual ip
> ping 10.137.250.112
>
>
>
> Those PING packets traverse the tunnel ok. I see them appearing in the VPN A
>
> tcpdump on VPN A shows:
>
> 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
> 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
>
>
> *iptables*
>
> VPN A is 10.0.0.2
> The machine to reach is 10.0.0.1
>
> I added the following rule to VPN A:
> iptables -t nat -A PREROUTING -p icmp -s 10.123.123.32/29 <http://10.123.123.32/29> -d 10.137.250.112 -j DNAT --to-destination 10.0.0.1
> iptables -t nat -A POSTROUTING -s 10.123.123.32/29 <http://10.123.123.32/29> -j SNAT --to 10.0.0.2
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
> This does not seem to work, I'd expect the icmp packets to be send to 10.0.0.2 with source 10.0.0.1 now (on the 10.0.0.0/24 <http://10.0.0.0/24> interface)
>
> But I keep seeing the packets on the public interface as
> 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
> 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
>
>
> Anyone an idea how to properly configure NAT here in the machine "VPN A" ?
>
>
> -Harm
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171112/38240100/attachment.sig>
More information about the Users
mailing list