[strongSwan] Help with packet forwarding/NAT

Thomas Nyberg twn+mailinglist-strongswan at thomasnyberg.com
Fri Mar 8 09:13:56 CET 2019 

Hello,

I'm new to Strongswan (and to networking/VPNs in general) so I suspect 
this is a standard problem with answers all of the internet which I am 
unable to find due to my inexperience. If so, feel free to yell at me 
about better places to look and I can move on. :)

My basic setup is that I have a Linux HOST that connects to a VPN. 
Inside the VPN the HOST is assigned another address. Inside the network 
there is static routing between the internal address and another 
internal subnet that I would like to reach from the outside. I'll put 
some numbers in to make it concrete:

	* VPN Server IP: 10.130.16.148 (don't think this is important for my 
questions)
	* External HOST IP: 10.122.1.94
	* Internal VPN IP: 10.37.1.94
	* Internal Target Subnet: 10.108.88.0/24

So I think what I want is for packets originating on HOST with source IP 
10.122.1.94 and target IP (say) 10.108.88.39 to get sent over the 
tunnel, the source IP to be changed to 10.37.1.94, then forwarded 
through by regular routing, and finally I want the same thing to happen 
in reverse. I have tried many different settings, one example being the 
following (I removed settings that I think aren't relevant):

         IPSEC_REMOTE_IPADDR=10.130.16.148
         IPSEC_REMOTE_NETWORK=10.108.88.0
         IPSEC_REMOTE_NETMASK=255.255.255.0
         IPSEC_LOCAL_NETWORK=10.37.1.94
         IPSEC_LOCAL_NETMASK=255.255.255.255

The connection starts up fine, but when I try something like

	telnet 10.108.88.39 5000

then it just times out. I have tried many other variations of various 
settings, but I think I'm just sort of throwing things at the wall 
hoping they will stick (a strategy of questionable wisdom).

I believe my problem is that I am incorrectly setting up routing/NAT. 
Can anyone here see easily what I'm doing wrong? Is this sort of thing 
something that I can setup out of the box with Strongswan or would I 
need to do some NAT by hand? (I believe that I can do something similar 
here with iptables, but like I said I'm new to all this stuff.)

Let me know if my question is unclear. Thanks a lot for any help!

Cheers,
Thomas

More information about the Users mailing list