CODEWITHSUNDEEP
amazon-ec2vpnnatipsecstrongswan
Jason
Jason

Reputation: 21

Unable to NAT IP with Iptables and Strongswan in AWS

I've just configured Strongswan and can successfully bring the VPN tunnel up on an AWS EC2 instance but I’m having issues with the traffic because we need to NAT the private IP address of my EC2 instance so all traffic going through the VPN come from a specific IP.

But currently if I ping the [DESTINATION_IP] address my traffic still originates from my private IP. I have tried several PREROUTING and POSTROUTING rules in iptables but nothing seems to work. Can anyone explain what the problem might be?

Current Settings

In AWS Source/destination checks disabled.

strongswan statusall

Listening IP addresses:
  [PRIVATE_IP]
Connections:
          vpn:  %any...[VPN_FIREWALL_IP]  IKEv2, dpddelay=10s
          vpn:   local:  [[ELASTIC_PUBLIC_IP]] uses pre-shared key authentication
          vpn:   remote: [[VPN_FIREWALL_IP]] uses pre-shared key authentication
          vpn:   child:  0.0.0.0/0 === [DESTINATION_IP]/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
          vpn[1]: ESTABLISHED 5 seconds ago, [PRIVATE_IP][[ELASTIC_PUBLIC_IP]]...[VPN_FIREWALL_IP][[VPN_FIREWALL_IP]]
          vpn[1]: IKEv2 SPIs: 6055db442ef8607c_i* 3d2ec0bb945e9a2c_r, pre-shared key reauthentication in 7 hours
          vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA1/MODP_2048
          vpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca9d2ca0_i df70a539_o
          vpn{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes
          vpn{1}:   [NAT_SOURCE_IP]/31 === [DESTINATION_IP]/32

ipsec.conf

config setup
    charondebug="all"
    uniqueids=no

conn %default
    ikelifetime=28800s
    keyexchange=ikev2
    keylife=3600s
    keyingtries=%forever
    mobike=no

conn vpn
    authby=psk
    auto=start
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart
    ike=aes128-sha256-prfsha1-modp2048!
    esp=aes128-sha256-modp2048,aes128-sha1-modp2048!
    left=%defaultroute
    leftid=[ELASTIC_PUBLIC_IP]
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    rightsubnet=[DESTINATION_IP]/32
    right=[VPN_FIREWALL_IP]
    rightid=[VPN_FIREWALL_IP]
    type=tunnel
    mark=100

iptables-save

*nat
:PREROUTING ACCEPT [9728:543855]
:INPUT ACCEPT [7882:388791]
:OUTPUT ACCEPT [20219:1527154]
:POSTROUTING ACCEPT [20725:1569658]
COMMIT
*filter
:INPUT ACCEPT [142:30437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188:34735]
-A FORWARD -s [DESTINATION_IP]/32 -d [NAT_SOURCE_IP]/31 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s [NAT_SOURCE_IP]/31 -d [DESTINATION_IP]/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT

Upvotes: 2

Views: 4071

Answers (1)

GoodMirek
GoodMirek

Reputation: 222

If I correctly understand your question, you are asking about how to setup source NAT on an EC2 instance with Strongswan. I run the same setup and in my case, following iptables rules from [1] provide the requested functionality:

iptables -t nat -A POSTROUTING -s <NAT_SOURCE_IP>/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s <NAT_SOURCE_IP>/24 -o eth0 -j MASQUERADE

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Upvotes: 1

Related Questions