Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question VPN-Server (IPsec only): How to do NAT and Routing?


    Hi there,

    I'm a Linux noob and I'm looking for help with NAT and routing on my VPN server (Openswan).

    With the help of several tuorials I set up a L2TP/IPsec VPN server on AWS (based on Ubuntu server). That works pretty well and my Mikrotik router as well as Windows and iOS clients can connect to the server and browse the web. But unfortunately the connection form my Mikrotik router is not as stable as I would like it to be. It disconnects several times per day and troubleshooting is hard because unfortunately my Internet connection here can be pretty bad when trying to access websites abroad.

    To simplify things, I want to replace the Mikrotik with a Ubiquity router, because the latter also offers a virtual tunnel interface for IPsec connections which can be used for policy based routing. No need for L2TP as on the Mikrotik.

    So my question is how to route traffic that arrives at the VPN server through the tunnel (in tunnel mode) to the Internet? How do I have to configure Openswan and Ubuntu to NAT and route the traffic to the Internet (and back to my LAN)?

    Right now my ipsec.conf looks like this:

    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version 2.0     # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
            # Do not set debug options to debug configuration issues!
            # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
            # eg:
            # plutodebug="control parsing"
            # Again: only enable plutodebug or klipsdebug when asked by a developer
            #
            # enable to get logs per-peer
            # plutoopts="--perpeerlog"
            #
            # Enable core dumps (might require system changes, like ulimit -C)
            # This is required for abrtd to work properly
            # Note: incorrect SElinux policies might prevent pluto writing the core
            dumpdir=/var/run/pluto/
            #
            # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # It seems that T-Mobile in the US and Rogers/Fido in Canada are
            # using 25/8 as "private" address space on their 3G network.
            # This range has not been announced via BGP (at least upto 2010-12-21)
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
            # OE is now off by default. Uncomment and change to on, to enable.
            oe=off
            # which IPsec stack to use. auto will try netkey, then klips then mast
            protostack=netkey
            # Use this to log to a file, or disable logging on embedded systems (like openwrt)
            #plutostderrlog=/dev/null
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    conn vpnpsk
            # Left security gateway, subnet behind it, nexthop toward right.
            left=%defaultroute
            leftid=Public AWS IP
            leftsubnet=AWS subnet
            leftnexthop=%defaultroute
            leftprotoport=17/1701
            # Right security gateway, subnet behind it, nexthop toward left.
            right=%any
            #rightsubnetwithin=0.0.0.0/0
            #rightnexthop=10.101.102.103
            rightprotoport=17/%any
            # To authorize this connection, but not actually start it,
            # at startup, uncomment this.
            auto=add
            # Force all to be nat'ed because of iOS
            forceencaps=yes
            authby=secret
            pfs=no
            type=transport
            #auth=esp
            #ike=3des-sha1
            #phase2alg=3des-sha1
            dpddelay=30
            dpdtimeout=120
            dpdaction=clear
            # Set ikelifetime and keylife to same defaults as Windows
            ikelifetime=8h
            keylife=1h

    Do I just need to change into something like:

    Openswan:
    Code:
    [...]
    type=tunnel
    leftsubnetwithin=0.0.0.0/0
    [...]
    An for the NAT:
    Code:
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
    -if 192.168.1.0/24 would be my subnet at home (right now I use the subnet for the IP addresses assigned to the L2TP clients, of course)?

    Or do I need more?

    I should be able to setup the tunnel between the Ubiquity and the VPN server based on the tutorials available (tunnel and PBR). So I am only looking for help with NAT and routing on the Ubuntu server.

    Thanks!

    Kind regards,
    iBlueDragon

  2. #2
    -->
    A sample config from my Libreswan ipsec box - should be very similar for openswan:


    Make sure you have the subnets known:
    virtual_private=%v4:10.0.0.0/24,%v4:192.168.100.0/24

    # I always think of Left = Local and Right = Remote
    # This will work for static IPs - you wil have much more 'fun' if you use a dynamic IP.... Get a static as it is worth the cost
    conn Test
    type=tunnel
    # Change according to your authentication type
    authby=secret
    auto=add
    ike=aes-sha1
    phase2alg=aes-sha1
    ikelifetime=3600s
    salifetime=28800s
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    pfs=yes
    #Reverse the following for the other end
    left=%defaultroute
    leftsourceip=192.168.100.1
    leftsubnet=192.168.100.0/24
    leftid=@ServerA
    right=your.destination.ip
    # For a dynamic remote IP you will need
    # right=%any
    # So make sure you use an ID with it
    rightsubnet=10.0.0.0/24
    rightid=@ServerB


    You ipsec.secrets should have something like this :

    # Using IDs - particularly if you have a dynamic IP involved
    @ServerA @ServerB : PSK "SomeRidiculouslyLongAndComplexPassord"

    # Using IPs
    My.local.ip your.destination.ip : PSK "SomeRidiculouslyLongAndComplexPassord"

    Much better is to use RSA sigs, and better again to use Certificates.


    iptables - I am no guru here but you must make sure that you allow the Ipsec ports

    Something like this from here "linuxconnect.blogspot.com.es/2010/04/iptable-rule-for-allowing-ipsec-traffic.html" (I can't post full URLs yet as I am not grown up enough! I have no affiliation to the site - I just Googled it)

    # Allow IP port 50
    iptables --append INPUT --protocol ESP --in-interface eth0 --jump ACCEPT
    # Allow Ipsec UDP 500
    iptables --append INPUT --protocol UDP --source-port 500 --destination-port 500 --in-interface eth0 --jump ACCEPT
    # You need port 4500 for Ike v2
    iptables --append INPUT --protocol UDP --source-port 4500 --destination-port 4500 --in-interface eth0 --jump ACCEPT

    Note that the protocols seem to be case sensitive and I had a big fail when I used 'esp' instead of 'ESP'

    Add some logging and see what gets blocked

    Yes, you need something like this to NAT the packets

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

    HTH.

    B. Rgds
    John

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •