VPN x Iptables NAT rules problem

Hello Experts,

I'm having some problems with firewall rules and would like the help of you guys.

I added a VPN connection (StrongSwan), but I can not access the network from the other end.

when I run the firewall script (iptables), the script flushes the rules (filter and nat) and adds the new rules. While the script rules are not added (policy: accept) I can access the other end of the VPN, but when the nat table rules are added, I lose the communication.

Yes, I know there must be an error in the nat rules, but I can not figure out exactly which rule(s) is(are) causing that impact.

I tried to use iptables TRACE, but I have a lot of rules applied and I can not understand the results and I can not locate exactly what the problem is.

And now the weirdest part (I think): I have another VPN connection (another network destination) configured on the same machine, with exactly the same rules and do not have this problem.

Can any of the experts give me an idea of how I can try do the troubleshooting or know how I can try to solve this problem? I'm lost!

Thanks in advance!

Best Regards
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
First what NAT & FILTER rules are you trying to impose & how.
AFAICT Strongswan doesn't insert those by ifself,  can you show the strongswan config, please remove all sensitive data like IP addresses
or better replace left with L.1.1.1 & right with R.2.2.2 but do it consistently .f.e. if there are 2 Right sides: R.2.2.2 for on and R. for the other. Hashing & encription should be removed also.
FabioConsultantAuthor Commented:
Hi Noci!!

Thanks indeed for your reply.

Please accept my apologies for the delay in replying to this message, but I spent some sleepless nights and needed to rest to continue troubleshooting (after the 3rd day I could not think anymore).

StrongSwan adds some rules for the "left/rightfireall" and "left/righthostaccess" and these rules were successfully added, but the problem is not the rules added by StrongSwan... After the following procedure I can accesss the "other end" (ipsec stop;iptables -t nat -F; iptables -F;ipsec start)... then, after I add all rules (except the "iptables -t nat" rules) I'm still able to reach the "other end"... but after the NAT rules addition I'm unable to reach (any protocol) the "other end".

In my opinion it is a mistake (my mystake) in NAT rules, but I have not yet been able to identify which rule is causing this problem. I'm trying to use the Iptables TRACE to help me to identify the rule.

As I wrote before, the weirdest thing of this problems is that I have another tunnel UP and with almost the same configuration of this VPN, and it's working fine ... the iptables rules are also pretty much the same.

I'll try to identify the rules one by one today and I'll keep you informed as soon I find something (I hope) or not. If I can't find the problem today, then I'll copy the StrongSwan configs and I'll copy the iptables rules too (yes, I will hide all the sensitive information! thanks for the advise).

Once again, thank you indeed for your reply and attention!!

Best Regards
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.