0
                                                                                                                +----------+
                                                                                                        +-------+ Client 1 |
    +--------------+             +---------------+         +----------+           +------------+        |       +----------+
    |  Web Server  +-------------+ Cisco ASA5585 +---------+ Internet +-----------+ StrongSwan +--------+       IP: 10.2.0.1
    +--------------+             +---------------+         +----------+           +------------+        |
                                                                                                        |       +----------+
                                                                                                        +-------+ Client 2 |
   Internal Web server          External IP: 1.1.1.1                           External IP: 2.2.2.2             +----------+
   https://some.webservice.net                                                 Internal IP: 10.1.0.1            IP: 10.3.0.1
   192.168.0.1:443

  • Clients 1 and 2 are in different /20 subnets and need to access the internal web server on the remote side through the host to host IPSEC VPN tunnel between the StrongSwan server and a remote Cisco ASA device.

  • We don't have any control over the remote side.

  • We have routing in place to allow client 1 and client 2 to reach the StrongSwan server.

  • We have the tunnel established between the StrongSwan server and the Cisco ASA device.

  • We have IP forwarding enabled on the StrongSwan server.

I'm trying to find out whether its feasible to use iptunnel to masquerade clients 1 and 2 as the StrongSwan server itself in order to allow them to access the internal web server at the remote side of the tunnel.

Jinesh Choksi
  • 151
  • 1
  • 3

2 Answers2

0

Easy way to make connections to Webserver come form StrongSwan machine will be to install a proxy like squid and use it from the clients instead of directly connecting to the Webserver.

Depending on what type of resources Clients want to access on Webserver, a fullblown squid might be overkill. If it's only port 443, and you don't need port 443 on StronSwan for other purposes, you can use redirect option of xinetd on StrongSwan. This will make etc/hosts entries in your Clients necessary, otherwise Webserver's certificate would be rejected for obvious name mismatch. There are other TCP proxies than xinetd redirect, but you get the idea.

TomTomTom
  • 611
  • 3
  • 6
0

You can do this with iptables configured on the StrongSwan box.

iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

assuming eth0 is your egress ether (ethernet to the internet)

Christian
  • 796
  • 3
  • 13
  • 31