1

I'm attempting to set up a VPN tunnel between a Cisco ASA 5520 and an Openswan server running on Ubuntu 14.04 on a Amazon VPC instance. I do not have access to the ASA, and have been given the following connection requirements from that end -

AES-SHA, No PFS, and our internal subnet (which is 10.0.0.0/24) must be presented to the Cisco side as a different range, 192.168.200.0/24.

These are the general configs I have in place -

ASA public - 1.2.3.4
ASA internal network - 192.168.50.0/24

Openswan EIP - 5.6.7.8
Openswan internal IP - 10.0.0.10
Openswan internal network - 10.0.0.0/24

Contents of /etc/ipsec.conf -

version 2.0     
# basic configuration  
config setup  
dumpdir=/var/run/pluto/  
nat_traversal=yes  
virtual_private=%v4:192.168.50.0/24  
oe=off  
protostack=netkey  
include /etc/ipsec.d/vpntunnel.conf  

Contents of /etc/ipsec.d/vpntunnel.conf

conn vpntunnel  
type=           tunnel  
authby=         secret  
left=           10.0.0.10           
leftsubnet=     10.0.0.0/24         
right=          1.2.3.4               
rightsubnet=    192.168.50.0/24     
ike=            aes-sha             
pfs=            no  
auto=           start  
salifetime=     24h  
ikelifetime=    480m  

Contents of /etc/ipsec.secrets

10.0.0.10 1.2.3.4 : PSK "mysharedkey"  

The tunnel comes up fine as far as I can tell -

000 #137: "vpntunnel":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 83824s; newest IPSEC; eroute owner; isakmp#136; idle; import:not set  
000 #137: "vpntunnel" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761    
000 #136: "vpntunnel":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26216s; newest ISAKMP; lastdpd=3s(seq in:0 out:0); idle; import:not set  

I'm trying to tunnel from one specific server on the Openswan side to the ASA side, IP address 10.0.0.11.

On server 10.0.0.11 I've added the following route -

ip route add 192.168.50.0/24 via 10.0.0.10  

The problem I'm having is getting the traffic from 10.0.0.0/24 to show up on the ASA side of the tunnel as 192.168.200.0/24.
From what I can tell, I should be able to use the following -

iptables -t nat -A PREROUTING -d 192.168.200.0/24 -s 192.168.50.0/24 -j NETMAP --to 10.0.0.0/24  
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.50.0/24 -j NETMAP --to 192.168.200.0/24    

However, there is no traffic getting through the tunnel. Since the traffic going through the tunnel is only for 1 server, I would be fine with a specific IP NAT instead of a NETMAP, but those rules didn't seem to work either.

iptables -t nat -A PREROUTING -d 192.168.50.0/24 -i eth0 -j DNAT --to-destination 10.0.0.11   
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 192.168.50.11  

I've attempted to try to use KLIPS as well, to use the separate ipsec0 adapter, but have been unable to compile that properly.

As of now, my iptables are empty when I run the following command -

iptables -t nat -nvL  

Can anyone tell me what I'm missing?

0

You must log in to answer this question.

Browse other questions tagged .