iptables DNAT packets into an openswan IPSEC tunnel

Question

I have the following network setup:

                                        +-----------------------------------+
                                        |                                   |
+------------------------+              |            Public Box             |
|       Client Box       |    IPSEC     |       public IP: x.x.x.x          |
|     192.168.13.21      +--------------+ source IP for IPSEC: 192.168.23.1 |
+------------------------+              |                                   |
                                        +-----------------------------------+

Client box has no publicly available IP address (it's hidden behind a NAT router which itself gets a 10.x.x.x/8 address from the internet provider (carrier grade NAT), but it has a permanently running IPSEC tunnel to the public box. I can communicate between the public box and the clientbox by their 192.x.x.x addresses. The public box is configured to use the IP address 192.168.23.1 to communicate inside the IPSEC tunnel and is also reachable via this address from the Client Box and other boxes. The public IP address of the Public Box is not in the encryption domains (leftsubnet / rightsubnet) of the IPSEC configuration.

So far everything works perfectly. The goal is now to make one IP port (443) of the Client Box publicly available from the Internet, forwarding any connection directed to port 10443 of the public IP address of the Public Box to port 443 of the Client Box, through the IPSEC tunnel.

I have tried with the following rule (I have all policies on ACCEPT)

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 10443 -j DNAT --to 192.168.13.21:443

This didn't work. When trying to telnet to port 10443 of the Public Box, I get a "telnet: connect to address x.x.x.x: Network is unreachable"

The reason seems to be that the Public Box tries to look up the 192.168.13.31 IP address via ARP, it doesn't put the connection into the IPSEC tunnel.

00:26:42.649885 IP 88.217.180.252.34730 > x.x.x.x.10443: Flags [S], seq 17484960, win 65535, options [mss 1412,nop,wscale 5,nop,nop,TS val 1133369435 ecr 0,sackOK,eol], length 0
00:26:42.650012 ARP, Request who-has 192.168.13.21 tell x.x.x.x, length 28

I believe this is because the SOURCE address of this packet is the source address of the originator of the connection, so it will not be packed into the tunnel (the tunnel only routes 192.168.23.0/24 <--> 192.168.13.0/24).

So, my question is: is it possible to NAT the SOURCE address of the incoming packet to 192.168.23.1 so it is routed through the IPSEC tunnel to the Client Box and any answer packet arrives at the Public Box again, in order to get "un-masqued" and sent back to the originator?

Is that possible at all?

"*When trying to telnet to port 10443 of the Public Box*": from where? — MadHatter, Mar 16 '15 at 23:51
I have tried to telnet port 10443 from another host that has internet connection, via the Internet. — Christian Anton, Mar 17 '15 at 09:28
Routing tables on the "Public Box": https://gist.github.com/fibbs/d29ec21db3d5a540ea5e. The destination network doesn't appear there, because it's behind the ipsec tunnel — Christian Anton, Mar 17 '15 at 09:29
I seem to be having the same problem. Did you manage to fix it? — Juliano, May 16 '16 at 18:13

iptables DNAT packets into an openswan IPSEC tunnel

0 Answers0