Problems with NAT because of OpenVPN and IPSec working on the same PC

[slavka]

I have a NAT problems on my VPN server. My network like on this image:

        |                            |
        | WAN (1.2.3.4)              +--------------------- OpenVPN client (172.16.0.6)
        |                            |
        |                            | 
        | IPSec (192.168.0.0/22)     | OpenVPN (172.16.0.0/24)
        | igb0 ($ext_if)             | tun0 (172.16.0.1)
+-------+----------------------------+------+
|                                           |
|             My VPN server                 |
|                                           |
+--------------------+----------------------+
                     | LAN (192.168.37.0/24)
                     | igb1 ($int_if)
                     | 192.168.37.5
                     |
                     |
                     |
                     |

The problem is - I need to translate source address from all OpenVPN clients to 192.168.37.5 (my IPSec policy imply that 192.168.0.0/22 network is on the remote side and 192.168.37.0/24 network is on my side).

I try to use next PF rule:

nat log on tun0 from { 172.16.0.0/24 } to { 192.168.0.0/22 } -> 192.168.37.5

And it does not work - in IPSec tunnel packets have 172.16.0.6 source address.

root@vpn:/usr/home/slavka # tcpdump -i igb0 src net 172.16.0.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:54:49.618289 IP 172.16.0.6.44296 > 192.168.1.2.ftp: Flags [ S ], seq 2171435695, win 8192, options [mss 1358,nop,wscale 8,nop,nop,sackOK], length 0
10:54:52.619358 IP 172.16.0.6.44296 > 192.168.1.2.ftp: Flags [ S ], seq 2171435695, win 8192, options [mss 1358,nop,wscale 8,nop,nop,sackOK], length 0

I got no ideas what the problem is. Can you help me?

Thanks!

 

[SirDice]

The NAT needs to be on the outgoing interface which, in this case, is igb1, not tun0 (that's the incoming interface).

nat log on igb1 from { 172.16.0.0/24 } to { 192.168.0.0/22 } -> 192.168.37.5

 

[slavka]

The NAT needs to be on the outgoing interface which, in this case, is igb1, not tun0 (that's the incoming interface).

Ohhh.. I feel so stupid.. It's my mistake. Thanks. Now, source address is correct (192.168.37.5), but remote side does not respond to ping:


root@vpn:/usr/home/slavka # tcpdump -i igb0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:36:01.115379 IP 192.168.37.5 > 192.168.1.2: ICMP echo request, id 17906, seq 1796, length 40
13:36:06.112149 IP 192.168.37.5 > 192.168.1.2: ICMP echo request, id 17906, seq 1797, length 40
13:36:11.113854 IP 192.168.37.5 > 192.168.1.2: ICMP echo request, id 17906, seq 1798, length 40
^C
3 packets captured


When I try to ping remote side from VPN-server - it's OK:


slavka@vpn:/etc/pf# ping -S 192.168.37.5 192.168.1.2
PING 192.168.1.2 (192.168.1.2) from 192.168.37.5: 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=63 time=7.666 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=7.551 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=63 time=7.581 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=63 time=7.650 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=63 time=7.662 ms
64 bytes from 192.168.1.2: icmp_seq=5 ttl=63 time=7.950 ms


But tcpdump -i igb0 icmp does not see anything. Is it possible, that in first case first case (when NAT using), packets does not sends in IPSec-tunnel?