SNAT through Racoon IPSec VPN

Posted by Mite fine d'ailes on Server Fault See other posts from Server Fault or by Mite fine d'ailes
Published on 2011-09-02T10:17:31Z Indexed on 2012/06/04 4:42 UTC
Read the original article Hit count: 559

Filed under:
|
|
|

I am trying to route traffic from a device (that I will call "target") connected to my Ubuntu box (that I will call "host") to servers at a remote office.

The host uses a Racoon IPSec VPN, connected through a NIC called efix. This creates an aliased IF called efix:0 which has IP adress 192.168.190.132. It is able to reach the servers.

The link between host and target is an Ethernet link, using IP adresses 10.0.0.1 on IF eusb for the host and 10.0.0.2 on IF eth0 for the target.

I have setup the following routes and iptables entries:

  • On target:

    10.0.0.0 *        255.255.255.0 U  0 0 0 eth0
    default  10.0.0.1 0.0.0.0       UG 0 0 0 eth0
    
  • On host:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to 192.168.190.132
    iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
    iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
    

Using Wireshark to monitor an HTTP GET, I can see SYN packets from the target go all the way to the server, but the server's SYNACK packets stop at the host and are not forwarded to the target. Am I missing something here ? Isn't SNAT supposed to keep track of the connections ?

© Server Fault or respective owner

Related posts about vpn

Related posts about iptables