VPN x Iptables NAT rules problem

Hello Experts,

I'm having some problems with firewall rules and would like the help of you guys.

I added a VPN connection (StrongSwan), but I can not access the network from the other end.

when I run the firewall script (iptables), the script flushes the rules (filter and nat) and adds the new rules. While the script rules are not added (policy: accept) I can access the other end of the VPN, but when the nat table rules are added, I lose the communication.

Yes, I know there must be an error in the nat rules, but I can not figure out exactly which rule(s) is(are) causing that impact.

I tried to use iptables TRACE, but I have a lot of rules applied and I can not understand the results and I can not locate exactly what the problem is.

And now the weirdest part (I think): I have another VPN connection (another network destination) configured on the same machine, with exactly the same rules and do not have this problem.

Can any of the experts give me an idea of how I can try do the troubleshooting or know how I can try to solve this problem? I'm lost!

Thanks in advance!

Best Regards
Who is Participating?
nociSoftware EngineerCommented:
First what NAT & FILTER rules are you trying to impose & how.
AFAICT Strongswan doesn't insert those by ifself,  can you show the strongswan config, please remove all sensitive data like IP addresses
or better replace left with L.1.1.1 & right with R.2.2.2 but do it consistently .f.e. if there are 2 Right sides: R.2.2.2 for on and R. for the other. Hashing & encription should be removed also.
FabioConsultantAuthor Commented:
Hi Noci!!

Thanks indeed for your reply.

Please accept my apologies for the delay in replying to this message, but I spent some sleepless nights and needed to rest to continue troubleshooting (after the 3rd day I could not think anymore).

StrongSwan adds some rules for the "left/rightfireall" and "left/righthostaccess" and these rules were successfully added, but the problem is not the rules added by StrongSwan... After the following procedure I can accesss the "other end" (ipsec stop;iptables -t nat -F; iptables -F;ipsec start)... then, after I add all rules (except the "iptables -t nat" rules) I'm still able to reach the "other end"... but after the NAT rules addition I'm unable to reach (any protocol) the "other end".

In my opinion it is a mistake (my mystake) in NAT rules, but I have not yet been able to identify which rule is causing this problem. I'm trying to use the Iptables TRACE to help me to identify the rule.

As I wrote before, the weirdest thing of this problems is that I have another tunnel UP and with almost the same configuration of this VPN, and it's working fine ... the iptables rules are also pretty much the same.

I'll try to identify the rules one by one today and I'll keep you informed as soon I find something (I hope) or not. If I can't find the problem today, then I'll copy the StrongSwan configs and I'll copy the iptables rules too (yes, I will hide all the sensitive information! thanks for the advise).

Once again, thank you indeed for your reply and attention!!

Best Regards
All Courses

From novice to tech pro — start learning today.