[Openswan Users] OpenSwan VPN Routing/NAT Question

[Joel Bouwkamp]

Hello All,

I am setting up a vpn to one of our customer's networks. Due to a
requirement on their end, we cannot have our traffic (appear to) come from
a private ip address. I have been able to get a tunnel setup with our
customer, but I am having an issue getting the NAT to work as needed. For
testing purposes I have simulated the environment in AWS using 2 VPCs, and
watching traffic using tcpdump or tshark, to see what the from ip address
is. Here is a copy of the setup with different ip addresses.

    (Simulated Customer Side VPC - 172.16.0.0/16)
    Customer Test Server - 172.16.0.20
    AWS Hardware VPN - 1.1.1.1
    |
    |
    |
    (Internet)
    |
    |
    |
    (Our VPC - 10.10.10.0/16)
    OpenSwan VPN server - 2.2.2.2 and 10.10.10.10
    Internal Test Server - 10.10.10.20

The ipsec.conf file for OpenSwan....

    conn Tunnel1
      authby=secret
      auto=start
      left=%defaultroute
      leftid=2.2.2.2
      right=1.1.1.1
      type=tunnel
      ikelifetime=8h
      keylife=1h
      phase2alg=aes128-sha1;modp1024
      ike=aes128-sha1;modp1024
      auth=esp
      keyingtries=%forever
      keyexchange=ike
      leftsubnet=10.10.10.0/16
      rightsubnet=172.16.0.0/16
      dpddelay=10
      dpdtimeout=30
      dpdaction=restart_by_peer

and the secrets file looks like ....

    2.2.2.2 1.1.1.1: PSK "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

I have also set the following values to in /etc/sysctl.conf

    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.default.accept_source_route = 0

Doing this I can get the tunnel to come "up" and I can communicate between
the test instances using the private ip addresses of the other tester (from
both sides). This shows (for ping and ssh) that that the communication
comes from the private ip address of the other test server. For example a
ping from 10.10.10.20 to 172.16.0.20 shows (via tshark) the ping coming
from 10.10.10.20.

In order to get the traffic to appear like it comes form the external IP
address of the OpenSwan server, I added an ip tables entry to the OpenSwan
instance.

    iptables -t nat -I POSTROUTING -s 10.10.10.0/16 -d 172.16.0.0/16 -o
eth0 -j SNAT --to-source 2.2.2.2

Then when I ping from 10.10.10.20 to 172.16.0.20 the ping comes from
2.2.2.2. This is the behavior that I was hoping for, however when I try to
ssh from 10.10.10.20 to 172.16.0.20 the traffic never gets there. A tshark
on the Customer Test Server shows no ssh traffic coming in, from either
10.10.10.20 or 2.2.2.2, and a tcpdump on the OpenSwan server show the
traffic as not getting NATed to 2.2.2.2 (it only shows packets for
10.10.10.20 -> 172.16.0.20:22).

I have tried many different configurations (struggling for several days) of
setting the left, leftsubnet, leftsourceip, leftnexthop, as well as using
SNAT and MASQUERADE, and other different iptables entries, with no luck
getting the traffic to look as needed.

What is required for me to get incoming traffic in the customers network to
look like it comes from an external ip address?. Any help is greatly
appreciated. Thanks.

If you need additional tcpdump or tshark logs, I can provide those as well.

And FWIW, I do have the AWS route tables in the Customer Test VPC set so
that 2.2.2.2 and 10.10.10.0/16 traffic goes to the VPN Gateway, and the
route tables in Our VPC has all 172.16.0.0/16 traffic going to the ENI for
the OpenSwan instance.

Thanks for any help,
-Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20180211/db02720f/attachment.html>