[strongSwan] simple Lan2Lan setup with (P)NAT
Philippe Strauss
philippe at strauss-engineering.ch
Tue Jun 16 15:28:12 CEST 2020
Hello the list,
In a pretty simple lan2lan setup, I need to "split tunnel" local trafic not destinated to the other end protected network using netfilter (the two strongswan boxes run linux).
For now I use the following netfilter:
----8<----
# flush
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
# PNAT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i enp3s0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
----8<----
And the following ipsec.conf:
----8<----
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
dpddelay=30s
dpdaction=restart
authby=secret
conn pnat-test1
auto=start
keyexchange=ikev1
left=10.0.0.1
leftsubnet=192.168.11.0/24
leftid=10.0.0.1
right=10.0.0.2
rightsubnet=192.168.12.0/24
rightid=10.0.0.2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536!
esp=aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536!
----8<----
This is a simple lab setup for now; 10.0.0.0/24 is the WAN, 192.168.11.0/24 is one end of the protected network, 192.168.12.0/24 is the other. I need ikev1 for legacy reasons. This simple setup works fine, except when I setup the netfilter rules for masquerading.
My question: what is the best/recommended way of escaping my trafic which needs protection from masquerading?
Thanks for your time!
--
Philippe Strauss
https://www.strauss-engineering.ch
More information about the Users
mailing list