1

Need help on this VPN set-up to work.
Left-hand. EC2:

  • eth0:10.0.0.100/EIP=1.1.1.1 (ie. NAT'd IP)
  • eth1:10.0.0.200/EIP=2.2.2.2
  • Peer ip/leftid: 1.1.1.1

Right-hand. Cisco:

  • Peer ip: 3.3.3.3
  • Peer host/rightsubnet: 3.3.3.30/32 (Public NAT'd ip)

Cisco ACL: permit ip host 3.3.3.30/32 host 2.2.2.2 (LH eth1)

  1. Tunnel is UP because outbound ping/telnet packets to 3.3.3.30 are going through the tunnel, but not replying/routing back.
  2. Do I need to set up SNAT, DNAT, or masquerade in IPTABLES.

Basically the goal is for LH to reach Peer host using Public NAT'd IPs.

Any helpful tips are appreciated.

dcvpn
  • 31
  • 1
  • 4

2 Answers2

2

Sharing my findings to solve my own issue, and could be for some.
The ipsec.conf param leftsourceip saved the day! :)
No iptables NAT required for my case at least.
Here's the fully working ipsec.conf
Hope this would be helpful to others who hit similar issue.

conn myVPN

type=tunnel
forceencaps=yes
authby=secret
ike=3des-sha1;modp1024
keyexchange=ike
ikelifetime=86400s
phase2=esp
phase2alg=3des-sha1
salifetime=3600s
pfs=no
auto=start
keyingtries=3
rekey=no
left=%defaultroute
leftnexthop=%defaultroute
leftid=1.1.1.1
leftsourceip=2.2.2.2
right=3.3.3.3
rightid=3.3.3.3
rightsubnet=3.3.3.30/32
rightnexthop=%defaultroute

dcvpn
  • 31
  • 1
  • 4
1

Sharing your findings did help someone! :)

Fixed the exact issue I was facing!!

Thanks for posting the solution!!!

Here is what I needed to additionally do to forward packets to the other side:

  • on the left side, enable forwarding

    echo 1 > /proc/sys/net/ipv4/ip_forward

  • allocate an EIP (1.1.1.1) and associate to eth0 interface on AWS instance

  • add another EIP (2.2.2.2) and associate to eth1 interface on same instance
  • set the leftsourceip (2.2.2.2) address as a sub interface eth1:1

  • set eth0 as the default gateway

    Centos - add "GATEWAYDEV=eth0" to /etc/sysconfig/network

  • turn source/destination checking to disabled on both instance interfaces in AWS console

  • iptables SNAT rules to rewrite the source header of the packet so that anything coming in from a local AWS host on eth1 appears to come from the encryption domain (leftsource) on eth1. e.g. 10.0.0.123, an IP in the same collision domain inside the VPC that the VPN instance belongs to needs to go out and get to the destination. Also allow any existing established or related sessions to pass.

    iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.123 -j SNAT --to-source 2.2.2.2

    iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Sardashay
  • 11
  • 1