I have been having issues to do NAT (of VPN Pool traffic after decryption) through the same interface the VPN has terminated. Any idea how to achieve this post IPSEC NAT.
NAT Pool 10.10.10.0/24
|
[ Server VPN Strong Swan ] Eth1 (Public IP) ----------Internet----------- Remote Site (10.10.10.1)
Once the remote site connects and generates data based on TCPDUMP i am able to see 10.10.10.1 going out of Eth1 but when i apply the following NAT rules... it does not work.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0f1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:39:10.344051 IP 10.10.10.1.37438 > 1.1.1.1.80: Flags [S], seq 2217548787, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.344073 IP 10.10.10.1.37438 > 1.1.1.1.80: Flags [S], seq 2217548787, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.350632 IP 10.10.10.1.37440 > 1.1.1.1.80: Flags [S], seq 3855195472, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.350653 IP 10.10.10.1.37440 > 1.1.1.1.80: Flags [S], seq 3855195472, win 65535, options
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth1 -j MASQUERADE
VPN Server Setup:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=yes
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
NAT Table
VPN-Server@localhost:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 180 packets, 48445 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 76 packets, 6166 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 76 packets, 6166 bytes)
pkts bytes target prot opt in out source destination
294 28462 LIBVIRT_PRT all -- any any anywhere anywhere
0 0 MASQUERADE all -- any any 10.193.135.0/24 !10.193.135.0/24 /* generated for Multipass network mpqemubr0 */
0 0 MASQUERADE udp -- any any 10.193.135.0/24 !10.193.135.0/24 /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
0 0 MASQUERADE tcp -- any any 10.193.135.0/24 !10.193.135.0/24 /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
0 0 RETURN all -- any any 10.193.135.0/24 255.255.255.255 /* generated for Multipass network mpqemubr0 */
0 0 RETURN all -- any any 10.193.135.0/24 base-address.mcast.net/24 /* generated for Multipass network mpqemubr0 */
0 0 MASQUERADE all -- any Eth1 172.17.0.0/24 anywhere
91 12895 MASQUERADE all -- any Eth1 10.10.10.0/24 anywhere
0 0 ACCEPT all -- any Eth1 10.10.10.0/24 anywhere policy match dir out pol ipsec
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
1 40 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24