[Openswan Users] OpenSwan VPN Routing/NAT Question
Joel Bouwkamp
siftd106 at gmail.com
Sun Feb 11 07:29:08 EST 2018
Hello All,
I am setting up a vpn to one of our customer's networks. Due to a
requirement on their end, we cannot have our traffic (appear to) come from
a private ip address. I have been able to get a tunnel setup with our
customer, but I am having an issue getting the NAT to work as needed. For
testing purposes I have simulated the environment in AWS using 2 VPCs, and
watching traffic using tcpdump or tshark, to see what the from ip address
is. Here is a copy of the setup with different ip addresses.
(Simulated Customer Side VPC - 172.16.0.0/16)
Customer Test Server - 172.16.0.20
AWS Hardware VPN - 1.1.1.1
|
|
|
(Internet)
|
|
|
(Our VPC - 10.10.10.0/16)
OpenSwan VPN server - 2.2.2.2 and 10.10.10.10
Internal Test Server - 10.10.10.20
The ipsec.conf file for OpenSwan....
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=2.2.2.2
right=1.1.1.1
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=10.10.10.0/16
rightsubnet=172.16.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
and the secrets file looks like ....
2.2.2.2 1.1.1.1: PSK "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
I have also set the following values to in /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
Doing this I can get the tunnel to come "up" and I can communicate between
the test instances using the private ip addresses of the other tester (from
both sides). This shows (for ping and ssh) that that the communication
comes from the private ip address of the other test server. For example a
ping from 10.10.10.20 to 172.16.0.20 shows (via tshark) the ping coming
from 10.10.10.20.
In order to get the traffic to appear like it comes form the external IP
address of the OpenSwan server, I added an ip tables entry to the OpenSwan
instance.
iptables -t nat -I POSTROUTING -s 10.10.10.0/16 -d 172.16.0.0/16 -o
eth0 -j SNAT --to-source 2.2.2.2
Then when I ping from 10.10.10.20 to 172.16.0.20 the ping comes from
2.2.2.2. This is the behavior that I was hoping for, however when I try to
ssh from 10.10.10.20 to 172.16.0.20 the traffic never gets there. A tshark
on the Customer Test Server shows no ssh traffic coming in, from either
10.10.10.20 or 2.2.2.2, and a tcpdump on the OpenSwan server show the
traffic as not getting NATed to 2.2.2.2 (it only shows packets for
10.10.10.20 -> 172.16.0.20:22).
I have tried many different configurations (struggling for several days) of
setting the left, leftsubnet, leftsourceip, leftnexthop, as well as using
SNAT and MASQUERADE, and other different iptables entries, with no luck
getting the traffic to look as needed.
What is required for me to get incoming traffic in the customers network to
look like it comes from an external ip address?. Any help is greatly
appreciated. Thanks.
If you need additional tcpdump or tshark logs, I can provide those as well.
And FWIW, I do have the AWS route tables in the Customer Test VPC set so
that 2.2.2.2 and 10.10.10.0/16 traffic goes to the VPN Gateway, and the
route tables in Our VPC has all 172.16.0.0/16 traffic going to the ENI for
the OpenSwan instance.
Thanks for any help,
-Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20180211/db02720f/attachment.html>
More information about the Users
mailing list