0

I'm trying configure a test VPN setup to route pings to an instances public IP. A corporate vendor we are connecting to has reserved all private space on their side. I'm not sure what NAT rules I need to get traffic from VPN router instance our side to forward traffic to the corrosponding instance behind it based on its public address, rather than private.

I have topology like

A-Server <-> A-VPN <--internet--> B-VPN <-> B-Server.

VPN tunnel is established and I'm able to ping either side via private IP without issue. Pinging public IP does get to the VPN machine at the 'other' side but stops there (indicated by activity in "$ ip xfrm monitor" I think?).

Both VPN instances have the A-Server Public IP/32 in its allowed subnets on the left/right sides where suitable.

Following NAT rules on A-VPN instance don't appear to work and I'm not sure if I am misusing them or how to debug further.

iptables -t nat -A POSTROUTING -s <A-Server PRIVATE IP>/32 -d <B-Server PRIVATE IP>/32 -j SNAT --to-source <A-Server PUBLIC IP>
iptables -t nat -A PREROUTING -s <B-Server PRIVATE IP>/32 -d <A-Server PUBLIC IP>/32 -j DNAT --to-destination <A-Server PRIVATE IP>

Current rules on A-VPN:

# iptables-save
# Generated by iptables-save v1.4.21 on Fri Feb 15 11:12:15 2019
*nat
:PREROUTING ACCEPT [2:168]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [21:1848]
:POSTROUTING ACCEPT [23:2016]
-A PREROUTING -s 172.31.24.75/32 -d <A-Server PUBLIC IP>/32 -j DNAT --to-destination 10.0.10.15
-A POSTROUTING -s 10.0.0.34/32 -d 172.31.24.75/32 -j SNAT --to-source <A-Server PUBLIC IP>
COMMIT
# Completed on Fri Feb 15 11:12:15 2019
# Generated by iptables-save v1.4.21 on Fri Feb 15 11:12:15 2019
*filter
:INPUT ACCEPT [104381:64450743]
:FORWARD ACCEPT [189:13956]
:OUTPUT ACCEPT [89586:3506732]
COMMIT
# Completed on Fri Feb 15 11:12:15 2019

1 Answer 1

0

After some reading and support I managed to solve the issue.

Steps taken:

'LEFT' side:

  • created a new ElasticIP without allocating it to an instance.
  • added <unallocated EIP> to the A-VPN .conf file's leftsubnets.
  • added these iptables rules to A-VPN:
    • iptables -t nat -A PREROUTING -d <unallocated EIP> -j DNAT --to-destination <A-Server PRIVATE IP>
    • iptables -t nat -A POSTROUTING -d <B-Server PRIVATE IP> -j SNAT --to-source <unallocated EIP>

'RIGHT' side:

  • added <unallocated EIP> to the B-VPN .conf file's rightsubnets.
  • added VPC subnet route table rule to point traffic with destination <unallocated EIP> to go via B-VPN.

both VPN machines:

  • Restarted ipsec.

At this point tcpdump on all machines shows correct routing and ip rewriting on all machines when pinging from B-Server to A-Server via the public IP <unallocated EIP>

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .