[strongSwan] Site to site VPN initiated from a NAT router

Zachary Cutlip uid000 at icloud.com
Tue Mar 13 03:36:16 CET 2018 

Hello,

I’m trying to set up an IPSec VPN that’s a little different from most projects I’ve seen documented.

I’m building a NAT router on Debian that I plan to travel with. I guess you might say my strongswan use case is sort of a hybrid between road warrior & site-to-site.

I’m confused on how to set up ipsec.conf and iptables such that all wifi clients on connecting to the NAT router/WiFi AP get their traffic routed over the tunnel.

Here are some details:

The Debian box has two interfaces
- wan0, internet facing, configured via DHCP via whatever network its connected to
- lan0, WiFi interface in AP mode with hostapd, 10.88.88.1/24, 
(There is also a third interface for management: eth0:10.99.99.1)

dnsmasq gives out DHCP configuration to wifi clients over lan0.

I’m connecting to a strongswan instance hosted on digital ocean with a fixed IP address.

When I take the box out of NAT router mode by flushing IPtables, I can initiate a connection to the remote instance, and traffic originating from the Debian box seems to go over the tunnel as expected. If I have iptables set up to do NAT routing, and then initiate the VPN connection, two things happen:
1. Traffic from the Debian box (such as traceroute 8.8.8.8) is no longer routed over the tunnel.
2. Traffic from the wifi clients doesn’t get routed at all.

I feel like this should be pretty straightforward; I’m just missing something. Any advice?

Here’s what my iptables looks like when the NAT router is working, and there are no ipsec connections:

 sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Here’s the ipsec.conf generated by Trail of Bits’s AlgoVPN (I added the passthroughs):

 $ cat ipsec.conf
conn ikev2-165.x.x.x
    fragmentation=yes
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=no
    dpddelay=35s

    ike=aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
    esp=aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!

    right=165.x.x.x
    rightid=165.x.x.x
    rightsubnet=0.0.0.0/0
    rightauth=pubkey

    leftsourceip=%config
    leftauth=pubkey
    leftcert=zach.crt
    leftfirewall=yes
    left=%defaultroute

    auto=add

conn mgmt-passthrough
    leftsubnet=10.99.99.0/24 # Replace with your LAN subnet
    rightsubnet=10.99.99.0/24 # Replac with your LAND subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough


conn wifi-passthrough
    leftsubnet=10.88.88.0/24 # Replace with your LAN subnet
    rightsubnet=10.88.88.0/24 # Replac with your LAND subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough

More information about the Users mailing list