0

I must set up an ipsec tunnel to use an external service provided by another company (so I have no control on the other side and can't change anything there). Let's say that:

  • 192.168.0.0/24 is my local subnet
  • 150.150.150.151 is my public, external ip
  • 160.160.160.161 is the remote peer I must connect to

I prepared a VM (let's say 192.180.0.100) with Ubuntu Server and Strongswan, then set up left and right ip, encryption and passkey from /etc/ipsec.conf - IPsec Phase 1 starts.

Now, in order to start Phase 2, the other side ONLY accepts a certain address/32 as left subnet (let's say 170.170.170.171/32). If I don't do that, the tunnel doesn't start. This is confirmed from the people who set up the tunnel on the other side. The right subnet is the ip range I need to reach, which is, again, a single ip (let's say, 180.180.180.181/32).

After setting it up like this, connection is established and, in ipsec status, it says it's installed and working. Now, I add 170.170.170.171 as secondary ip from /etc/networks and I can ping and nmap 180.180.180.181 so, it works.

Now, I don't understand how I can route traffic from 192.168.0.0/24 to the tunnel when I want to reach 180.180.180.181. I tried with a static route from my router, forcing traffic to 192.168.0.100 when requesting 180.180.180.181 but tracing the route shows that, after reaching 192.168.0.100, traffic goes back to the main gateway and follows the regular path to the internet instead of going into the tunnel.

So basically the question is, how can I route traffic through a tunnel in this kind of situation?

Improve this question

1 Answer 1

Reset to default
1

In addition to routing, you will also need SNAT (masquerading) to rewrite the LAN hosts' source IP address with the gateway's own 170.170.170.171 address – first, because that's the only address allowed through; second, because the other company's service isn't going to have a route back to your LAN subnet.

SNAT is done through your firewall – add a -j SNAT rule in iptables or snat to in nftables. For example:

# /etc/nftables.conf
table ip nat {
  chain postrouting {
    type nat hook postrouting priority srcnat;
    ip daddr 180.180.180.181 snat to 170.170.170.171
  }
}
Improve this answer
1
  • I switched from iptables to nftables and just added your rule with the correct addresses and works flawlessly... thanks!
    – didrocks66
    Commented Apr 6, 2022 at 11:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .