Iptables – Openswan tunnel to remote public NAT’d host

amazon ec2iptablesnat;openswanvpn

Need help on this VPN set-up to work.
Left-hand. EC2:

eth0:10.0.0.100/EIP=1.1.1.1 (ie. NAT'd IP)
eth1:10.0.0.200/EIP=2.2.2.2
Peer ip/leftid: 1.1.1.1

Right-hand. Cisco:

Peer ip: 3.3.3.3
Peer host/rightsubnet: 3.3.3.30/32 (Public NAT'd ip)

Cisco ACL:
permit ip host 3.3.3.30/32 host 2.2.2.2 (LH eth1)

Tunnel is UP because outbound ping/telnet packets to 3.3.3.30 are going through the tunnel, but not replying/routing back.
Do I need to set up SNAT, DNAT, or masquerade in IPTABLES.

Basically the goal is for LH to reach Peer host using Public NAT'd IPs.

Any helpful tips are appreciated.

Best Answer

Sharing my findings to solve my own issue, and could be for some.
The ipsec.conf param leftsourceip saved the day! :)
No iptables NAT required for my case at least.
Here's the fully working ipsec.conf
Hope this would be helpful to others who hit similar issue.

conn myVPN

type=tunnel
forceencaps=yes
authby=secret
ike=3des-sha1;modp1024
keyexchange=ike
ikelifetime=86400s
phase2=esp
phase2alg=3des-sha1
salifetime=3600s
pfs=no
auto=start
keyingtries=3
rekey=no
left=%defaultroute
leftnexthop=%defaultroute
leftid=1.1.1.1
leftsourceip=2.2.2.2
right=3.3.3.3
rightid=3.3.3.3
rightsubnet=3.3.3.30/32
rightnexthop=%defaultroute

Related Solutions

Openswan ipsec transport tunnel not going up

Turns out NETKEY doesn't support compress=yes.

Removed the setting and it worked fine.

Openswan and xl2tpd tunnel not working

You need to enable IP forwarding, and disable the send_redirects, as per the results of the "ipsec verify" step you did.

This should do the trick:

echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

Then run "ipsec verify" again, and that failure should go away.

Best Answer

Related Solutions

Openswan ipsec transport tunnel not going up

Openswan and xl2tpd tunnel not working

Related Topic