I'm attempting to set up a VPN tunnel between a Cisco ASA 5520 and an Openswan server running on Ubuntu 14.04 on a Amazon VPC instance. I do not have access to the ASA, and have been given the following connection requirements from that end -
AES-SHA, No PFS, and our internal subnet (which is 10.0.0.0/24) must be presented to the Cisco side as a different range, 192.168.200.0/24.
These are the general configs I have in place -
ASA public - 1.2.3.4
ASA internal network - 192.168.50.0/24
Openswan EIP - 5.6.7.8
Openswan internal IP - 10.0.0.10
Openswan internal network - 10.0.0.0/24
Contents of /etc/ipsec.conf -
version 2.0
# basic configuration
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:192.168.50.0/24
oe=off
protostack=netkey
include /etc/ipsec.d/vpntunnel.conf
Contents of /etc/ipsec.d/vpntunnel.conf
conn vpntunnel
type= tunnel
authby= secret
left= 10.0.0.10
leftsubnet= 10.0.0.0/24
right= 1.2.3.4
rightsubnet= 192.168.50.0/24
ike= aes-sha
pfs= no
auto= start
salifetime= 24h
ikelifetime= 480m
Contents of /etc/ipsec.secrets
10.0.0.10 1.2.3.4 : PSK "mysharedkey"
The tunnel comes up fine as far as I can tell -
000 #137: "vpntunnel":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 83824s; newest IPSEC; eroute owner; isakmp#136; idle; import:not set
000 #137: "vpntunnel" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #136: "vpntunnel":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26216s; newest ISAKMP; lastdpd=3s(seq in:0 out:0); idle; import:not set
I'm trying to tunnel from one specific server on the Openswan side to the ASA side, IP address 10.0.0.11.
On server 10.0.0.11 I've added the following route -
ip route add 192.168.50.0/24 via 10.0.0.10
The problem I'm having is getting the traffic from 10.0.0.0/24 to show up on the ASA side of the tunnel as 192.168.200.0/24.
From what I can tell, I should be able to use the following -
iptables -t nat -A PREROUTING -d 192.168.200.0/24 -s 192.168.50.0/24 -j NETMAP --to 10.0.0.0/24
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.50.0/24 -j NETMAP --to 192.168.200.0/24
However, there is no traffic getting through the tunnel. Since the traffic going through the tunnel is only for 1 server, I would be fine with a specific IP NAT instead of a NETMAP, but those rules didn't seem to work either.
iptables -t nat -A PREROUTING -d 192.168.50.0/24 -i eth0 -j DNAT --to-destination 10.0.0.11
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.50.11
I've attempted to try to use KLIPS as well, to use the separate ipsec0 adapter, but have been unable to compile that properly.
As of now, my iptables are empty when I run the following command -
iptables -t nat -nvL
Can anyone tell me what I'm missing?