NAT source IP in Strongswan IPSEC VPN on Amazon EC2

Gnujeremie

12/31/22, 9:23 AM

Ok so first of all, networking is really not my strong suit...

I have an Amazon Linux EC2 instance, ip 172.31.46.176, connected to a IPSEC VPN using strongswan :

conn aws-to-other
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        # IP locale serveur
        left=172.31.46.176
        # IP publique serveur
        leftid=XX.XX.XX.XX
        # Sous réseau local
        leftsubnet=10.255.254.0/24
        # IP publique distante
        right=YY.YY.YY.YY
        # Sous réseau distant
        rightsubnet=172.16.91.0/24
        ike=aes256-sha2_256-modp2048!
        esp=aes256-sha256-modp2048!
        aggressive=no
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

The link is up and connected.

The other host is using also 172.16.X.X IPs. In order to contact its machine with IP 172.16.91.213, I have to set up a NAT rule to appear like my IP is FROM 10.255.254.0/24.

So far :

I enabled IP Forwarding (/proc/sys/net/ipv4/ip_forward)
I disabled source/dest check on my EC2 instance network configuration
I tried iptables -t nat -A POSTROUTING -s 10.255.254.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -s 10.255.254.0/24 -o eth0 -j MASQUERADE from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
I've been playing around with iptables rules, but so far not so good.

I'm at loss, if anyone can point me in any direction, I'd be really greatful.

Thanks

243

0 + 1

nat

iptables

ipsec

amazon-ec2

strongswan

ecdsa

1/1/23, 3:53 PM

The NAT rules on that page and the ones you posted above are to NAT traffic from a specific subnet (`-s ...`) to the physical IP of the server (`-j MASQUERADE`). You definitely need to change or remove the `-s` option (you could use your local `172.16.x.x/x` subnet) and you probably want to use something like `-j SNAT --to-source 10.255.254.1` (i.e. NAT all traffic to a single IP in the tunneled subnet). Alternatively, you could use the `NETMAP` target to map IPs from your 172.16.x.x subnet to the `10.255.254.0/24` subnet.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: NAT source IP in Strongswan IPSEC VPN on Amazon EC2

TH: NAT ต้นทาง IP ใน Strongswan IPSEC VPN บน Amazon EC2

RO: IP sursă NAT în Strongswan IPSEC VPN pe Amazon EC2

RU: Исходный IP-адрес NAT в Strongswan IPSEC VPN на Amazon EC2

VI: IP nguồn NAT trong Strongswan IPSEC VPN trên Amazon EC2

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.