Hi, Your assumption is wrong. tcpdump captures packets before any firewall rules are applied. Look at the diagram[1]. Anyway, your configuration is flawed. Use auto=route and avoid sha256. It's implementations differ between vendors.
Kind regards Noel [1] inai.de/images/nf-packet-flow.png On 12.11.2017 11:56, Harm Verhagen wrote: > Hi, > > I want to setup a configuration, of which I could find an example in the > strongswan documentation. > > > > > I want to setup a ike1 site-to-site configuration. > But A virtual IP address must be natted. > > > I've setup some site-to-site configurations before without NAT, all work just > fine. > Whats different here, is that we must use NAT internally (virtual IP ?). The > remote site needs to access us via a specific (virtual) ip. > > > site A - VPN A -------- VPN B - Site B > > > local network A 10.0.0.0/24 <http://10.0.0.0/24> > local network B 10.123.123.32/29 <http://10.123.123.32/29> > > VPN A is an ubuntu machine with strongswan. > I'm testing now with an ubuntu machine as Site B too, but eventually that'll > be a party that I don't control, using some cisco device. > The question is about configuration of 'VPN A" > VPN A/VPN B: public ips are on the internet. > > > Site B needs to access a specific server in site A *10.0.0.1* > But Site B requires that he access that server as *10.137.250.112 *(the > 'virtual ip', no machine has that ip) > > I'd like this to achieve this with natting in VPN A. (not by adding the > 10.37.250.112 as an ip/subnet in site A) > > > I managed to setup the tunnel correctly with the following config > > # config site A > conn mycon > keyexchange=ikev1 > authby=secret > auto=add > #keyingtries=%forever > ike=aes256-sha256-modp2048 > esp=aes256-sha256-modp2048 > type=tunnel > left=<public IP A> > leftsubnet=10.137.250.112/32 <http://10.137.250.112/32> > leftfirewall=yes > right=<public IP B> > rightsubnet=10.123.123.32/29 <http://10.123.123.32/29> > > closeaction=restart > > > # config Site B > conn mycon > keyexchange=ikev1 > authby=secret > auto=add > # config paramets of the remote CISCO 55010 > ike=aes256-sha256-modp2048 > esp=aes256-sha256-modp2048 > type=tunnel > left=< public IP B> > leftsubnet=10.123.123.32/29 <http://10.123.123.32/29> > leftfirewall=yes > right=< public IP A> > rightsubnet=10.137.250.112/32 <http://10.137.250.112/32> > > > The tunnel is up just fine: > site A > Security Associations (1 up, 0 connecting): > symeon[4]: ESTABLISHED 30 minutes ago, > 149.210.145.167[149.210.145.167]...176.58.118.248[176.58.118.248] > symeon-nat{6}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c47cdf98_i c0a29f60_o > symeon-nat{6}: 10.137.250.112/32 <http://10.137.250.112/32> === > 10.123.123.32/29 <http://10.123.123.32/29> > > > I now want to ping host 10.0.0.1 in Site A from a machine in site B using > the virtual ip > ping 10.137.250.112 > > > > Those PING packets traverse the tunnel ok. I see them appearing in the VPN A > > tcpdump on VPN A shows: > > 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: > ICMP echo request, id 19009, seq 3768, length 64 > 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: > ICMP echo request, id 19009, seq 3768, length 64 > > > *iptables* > > VPN A is 10.0.0.2 > The machine to reach is 10.0.0.1 > > I added the following rule to VPN A: > iptables -t nat -A PREROUTING -p icmp -s 10.123.123.32/29 > <http://10.123.123.32/29> -d 10.137.250.112 -j DNAT --to-destination 10.0.0.1 > iptables -t nat -A POSTROUTING -s 10.123.123.32/29 <http://10.123.123.32/29> > -j SNAT --to 10.0.0.2 > iptables -t nat -A POSTROUTING -j MASQUERADE > > > This does not seem to work, I'd expect the icmp packets to be send to > 10.0.0.2 with source 10.0.0.1 now (on the 10.0.0.0/24 <http://10.0.0.0/24> > interface) > > But I keep seeing the packets on the public interface as > 11:45:40.239138 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: > ICMP echo request, id 19009, seq 3768, length 64 > 11:45:40.239167 IP 10.123.123.32 > 10.137.250.112 <http://10.137.250.112>: > ICMP echo request, id 19009, seq 3768, length 64 > > > Anyone an idea how to properly configure NAT here in the machine "VPN A" ? > > > -Harm > > >
signature.asc
Description: OpenPGP digital signature
