[Openswan Users] OpenSwan VPN Routing/NAT Question

Joel Bouwkamp siftd106 at gmail.com
Sun Feb 11 07:29:08 EST 2018

Hello All,

I am setting up a vpn to one of our customer's networks. Due to a
requirement on their end, we cannot have our traffic (appear to) come from
a private ip address. I have been able to get a tunnel setup with our
customer, but I am having an issue getting the NAT to work as needed. For
testing purposes I have simulated the environment in AWS using 2 VPCs, and
watching traffic using tcpdump or tshark, to see what the from ip address
is. Here is a copy of the setup with different ip addresses.

    (Simulated Customer Side VPC -
    Customer Test Server -
    AWS Hardware VPN -
    (Our VPC -
    OpenSwan VPN server - and
    Internal Test Server -

The ipsec.conf file for OpenSwan....

    conn Tunnel1

and the secrets file looks like .... PSK "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

I have also set the following values to in /etc/sysctl.conf

    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.default.accept_source_route = 0

Doing this I can get the tunnel to come "up" and I can communicate between
the test instances using the private ip addresses of the other tester (from
both sides). This shows (for ping and ssh) that that the communication
comes from the private ip address of the other test server. For example a
ping from to shows (via tshark) the ping coming

In order to get the traffic to appear like it comes form the external IP
address of the OpenSwan server, I added an ip tables entry to the OpenSwan

    iptables -t nat -I POSTROUTING -s -d -o
eth0 -j SNAT --to-source

Then when I ping from to the ping comes from This is the behavior that I was hoping for, however when I try to
ssh from to the traffic never gets there. A tshark
on the Customer Test Server shows no ssh traffic coming in, from either or, and a tcpdump on the OpenSwan server show the
traffic as not getting NATed to (it only shows packets for ->

I have tried many different configurations (struggling for several days) of
setting the left, leftsubnet, leftsourceip, leftnexthop, as well as using
SNAT and MASQUERADE, and other different iptables entries, with no luck
getting the traffic to look as needed.

What is required for me to get incoming traffic in the customers network to
look like it comes from an external ip address?. Any help is greatly
appreciated. Thanks.

If you need additional tcpdump or tshark logs, I can provide those as well.

And FWIW, I do have the AWS route tables in the Customer Test VPC set so
that and traffic goes to the VPN Gateway, and the
route tables in Our VPC has all traffic going to the ENI for
the OpenSwan instance.

Thanks for any help,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20180211/db02720f/attachment.html>

More information about the Users mailing list