Score:0

StrongSwan - NAT VPN Pool traffic (after decryption) to same IP as VPN Termination

ml flag
Red

I have been having issues to do NAT (of VPN Pool traffic after decryption) through the same interface the VPN has terminated. Any idea how to achieve this post IPSEC NAT.

              NAT Pool 10.10.10.0/24
              |
   [ Server VPN Strong Swan ] Eth1 (Public IP) ----------Internet----------- Remote Site (10.10.10.1)

Once the remote site connects and generates data based on TCPDUMP i am able to see 10.10.10.1 going out of Eth1 but when i apply the following NAT rules... it does not work.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0f1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:39:10.344051 IP 10.10.10.1.37438 > 1.1.1.1.80: Flags [S], seq 2217548787, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.344073 IP 10.10.10.1.37438 > 1.1.1.1.80: Flags [S], seq 2217548787, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.350632 IP 10.10.10.1.37440 > 1.1.1.1.80: Flags [S], seq 3855195472, win 65535, options [mss 1360,sackOK,TS val 2808310009 ecr 0,nop,wscale 8], length 0
12:39:10.350653 IP 10.10.10.1.37440 > 1.1.1.1.80: Flags [S], seq 3855195472, win 65535, options 

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth1 -j MASQUERADE

VPN Server Setup:

  config setup
        charondebug="ike 1, knl 1, cfg 0"
        uniqueids=yes
    
    conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
  

  keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

NAT Table

VPN-Server@localhost:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 180 packets, 48445 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 76 packets, 6166 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 76 packets, 6166 bytes)
 pkts bytes target     prot opt in     out     source               destination
  294 28462 LIBVIRT_PRT  all  --  any    any     anywhere             anywhere
    0     0 MASQUERADE  all  --  any    any     10.193.135.0/24     !10.193.135.0/24      /* generated for Multipass network mpqemubr0 */
    0     0 MASQUERADE  udp  --  any    any     10.193.135.0/24     !10.193.135.0/24      /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
    0     0 MASQUERADE  tcp  --  any    any     10.193.135.0/24     !10.193.135.0/24      /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
    0     0 RETURN     all  --  any    any     10.193.135.0/24      255.255.255.255      /* generated for Multipass network mpqemubr0 */
    0     0 RETURN     all  --  any    any     10.193.135.0/24      base-address.mcast.net/24  /* generated for Multipass network mpqemubr0 */
    0     0 MASQUERADE  all  --  any    Eth1  172.17.0.0/24        anywhere
   91 12895 MASQUERADE  all  --  any    Eth1  10.10.10.0/24        anywhere
    0     0 ACCEPT     all  --  any    Eth1  10.10.10.0/24        anywhere             policy match dir out pol ipsec

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24
    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255
    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.