I'm trying to create two networks (using a debian server) :
- The first one is intended to pass packets in a normal way (to my ISP).
- The second one is intended to pass packets via a L2TP/IPSec VPN connection that I'm establishing at boot.
My current topology is :
eth0
is connected to my ISP router : (192.168.1.0/24)eth1
(10.0.0.1) is connected to my lan (10.0.0.0/16)eth1:1
(10.1.0.1) is connected to my lan (10.1.0.0/16)ppp0
is my L2TP/IPSec connection
If a client is using 10.0.0.1 as a router, he gets through eth0, if a client is using 10.1.0.1 as a router he gets though ppp0.
So, to achieve that, i've created this 2 IPTables rules :
iptables -A POSTROUTING -t nat -o eth0 -s 10.0.0.0/16 -j MASQUERADE
iptables -A POSTROUTING -t nat -o ppp0 -s 10.1.0.0/16 -j MASQUERADE
The first network (10.0.0.0/16) is working well, the nat masquerade works great.
But for the second one (10.1.0.0/16) it's not working at all.
I'm sure that ppp0 is working because if I change the default route on my server to use the ppp0 address a traceroute google.com
shows me that I'm going though the VPN.
My question is : why it's not working with the nat ?
Best Answer
Your problem most likely comes from the encryption your IPSec tunnel is encapsulating your packet in. You need destination and source headers for Natting to forward your packets correctly, however your IPSec tunnel is encapsulating those packets and encrypting them, making it impossible for your router to direct the traffic.
Depending on your router model and build there are some common solutions. Cisco hardware can work around this with an access control list
Referencing documentation: VPN and Natting explained