[strongSwan] ipsec with virtual IP/NAT

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Nov 12 16:26:43 CET 2017 

Hi,

Your assumption is wrong. tcpdump captures packets before any firewall rules are applied.
Look at the diagram[1].
Anyway, your configuration is flawed. Use auto=route and avoid sha256. It's implementations differ between vendors.

Kind regards

Noel

[1] inai.de/images/nf-packet-flow.png


On 12.11.2017 11:56, Harm Verhagen wrote:
> Hi,
>
> I want to setup a configuration, of which I could find an example in the strongswan documentation.
>
>
>
>
> I want to setup a ike1 site-to-site configuration.
> But A virtual IP address must be natted.
>
>
> I've setup some site-to-site configurations before without NAT, all work just fine. 
> Whats different here, is that we must use NAT internally (virtual IP ?). The remote site needs to access us via a specific (virtual) ip.
>
>
> site A  -  VPN A --------     VPN B  -    Site B
>
>
> local network A  10.0.0.0/24 <http://10.0.0.0/24>
> local network B 10.123.123.32/29 <http://10.123.123.32/29>
>
> VPN A is an ubuntu machine with strongswan.
> I'm testing now with an ubuntu machine as Site B too, but eventually that'll be a party that I don't control, using some cisco device.
> The question is about configuration of 'VPN A"
> VPN A/VPN B: public ips are on the internet.
>
>
> Site B needs to access a specific server in site A   *10.0.0.1*
> But Site B requires that he access that server as *10.137.250.112   *(the 'virtual ip', no machine has that ip)
>
> I'd like this to achieve this with natting in VPN A. (not by adding the 10.37.250.112 as an ip/subnet in site A)
>
>
> I managed to setup the tunnel correctly with the following config
>
> # config site A
> conn mycon
>     keyexchange=ikev1
>     authby=secret
>     auto=add
>     #keyingtries=%forever
>     ike=aes256-sha256-modp2048
>     esp=aes256-sha256-modp2048
>     type=tunnel
>     left=<public IP A>
>     leftsubnet=10.137.250.112/32 <http://10.137.250.112/32>
>     leftfirewall=yes
>     right=<public IP B>
>     rightsubnet=10.123.123.32/29 <http://10.123.123.32/29>
>
>     closeaction=restart
>
>
> # config Site B
> conn mycon
>     keyexchange=ikev1
>     authby=secret
>     auto=add
>     # config paramets of the remote CISCO 55010
>     ike=aes256-sha256-modp2048
>     esp=aes256-sha256-modp2048
>     type=tunnel
>     left=< public IP B>
>     leftsubnet=10.123.123.32/29 <http://10.123.123.32/29>
>     leftfirewall=yes
>     right=< public IP A>
>     rightsubnet=10.137.250.112/32 <http://10.137.250.112/32>
>
>
> The tunnel is up just fine:
> site A
> Security Associations (1 up, 0 connecting):
>       symeon[4]: ESTABLISHED 30 minutes ago, 149.210.145.167[149.210.145.167]...176.58.118.248[176.58.118.248]
>   symeon-nat{6}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c47cdf98_i c0a29f60_o
>   symeon-nat{6}:   10.137.250.112/32 <http://10.137.250.112/32> === 10.123.123.32/29 <http://10.123.123.32/29>
>
>
> I now want to ping host 10.0.0.1 in Site A  from a machine in site B using the virtual ip
>     ping 10.137.250.112
>
>
>
> Those PING packets traverse the tunnel ok. I see them appearing in the VPN A
>
> tcpdump on VPN A shows:
>
> 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
> 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
>
>
> *iptables*
>
> VPN A is 10.0.0.2
> The machine to reach is 10.0.0.1
>
> I added the following rule  to VPN A:
> iptables -t nat -A PREROUTING -p icmp -s 10.123.123.32/29 <http://10.123.123.32/29> -d 10.137.250.112 -j DNAT --to-destination 10.0.0.1
> iptables -t nat -A POSTROUTING -s 10.123.123.32/29 <http://10.123.123.32/29>  -j SNAT --to 10.0.0.2
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
> This does not seem to work, I'd expect the icmp packets to be send to 10.0.0.2 with source 10.0.0.1 now (on the 10.0.0.0/24 <http://10.0.0.0/24> interface)
>
> But I keep seeing the packets on the public interface as 
> 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
> 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: ICMP echo request, id 19009, seq 3768, length 64
>
>
> Anyone an idea how to properly configure NAT here in the machine "VPN A" ?
>
>
> -Harm
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171112/38240100/attachment.sig>

More information about the Users mailing list