Hi Dragos, have a look at our [rather more complex] SNAT example scenario where we use XFRM_MARKS to tag the packets to be NAT-ed:
https://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/ This might give you some ideas on how to solve your problem. Regards Andreas On 26.08.2015 17:01, Dragos Ilie wrote:
Hi, I would like to know if it is possible to apply SNAT to a packet after it has been decrypted by IPsec, or if it is intentionally prevented. The background is that we have a project where we try to run strongSwan inside KVM virtual machines managed by OpenStack. There are two OpenStack sites and they are connected with IPsec in tunnel mode. Each site consists of a regular node (VM) that sends packets through another VPN VM (the default gateway for the site) where we have strongSwan installed. The tunnel is established and using tcpdump we can observe that packets are decrypted on the destination VPN VM and then forwarded to the destination node (VM). However, the underlying OpenStack host where the VPN VM is running has installed an iptables rule that drops outgoing packets unless they carry the src IP address of the VPN VM. This why I would to use SNAT on the decrypted packets (yes, I could remove the iptables rule but we would prefer not to do that). I have tried adding the following rule on the VPN VM in question, iptables -t nat -D POSTROUTING -o eth0 -m policy --dir out --pol ipsec --reqid 14 --proto esp -j SNAT --to-source 10.1.2.18 where eth0 is the interface towards the destination VM, but without any luck. No packets are matched by the rule. I tried without -m policy, adding the rule to the ESP interface (eth1) instead, but nothing worked. Now I am beginning to suspect that this behavior is intentional (don't match) and would like to have a second opinion. Best regards, Dragos
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
