Strongswan and nftables (migrating from iptables)

Question

I am trying to migrate from iptables to nftables (Debian) and hit a wall here with the rules for Strongswan VPN. Can anybody help me translate this rules to nftables? Auto-converter could not do them.

# -t filter -A FORWARD -s 10.10.10.2/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT -m comment --comment VPN forwarding
# -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
# -t mangle -A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

score -1 · Answer 1 · answered Sep 26 '20 at 14:15

I have a local test virtual environment:

Client A <--> Strongswan Peer A <--> Strongswan Peer B <--> Client b

In Peer A and Peer B:

nft add table nat
nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
nft add rule nat postrouting masquerade

Also in both peers I had to:

sysctl -w net.ipv4.ip_forward=1

And it worked to me.

Strongswan and nftables (migrating from iptables)

1 Answers1