Iptables configuration for postrouting NAT

Hello, i'm using strongswan to make a VPN and need to NAT a virtual LAN - real lan is ip lan and device to be reached
My virtual LAN should be and it's specified in my ipsec.conf file (tunnel is up and working) but traffic is not correctly routed, i think i should add a rule like this:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

i can see it but seems traffic is not routed to the host:

iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -nv

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    76 SNAT       all  --  *      *            to:
    0     0 SNAT       all  --  *      *            to:
    0     0 SNAT       all  --  *      *            to:
    5   422 postrouting_rule  all  --  *      *              /* !fw3: Custom postrouting rule chain */
    0     0 zone_lan_postrouting  all  --  *      br-lan              /* !fw3 */
    4   304 zone_wan_postrouting  all  --  *      eth0.2              /* !fw3 */
    0     0 SNAT       all  --  *      *            to:

how can i debug and troubleshoot this scenario?

I don't think the packet will ever reach the nat postrouting chain. It will be intercepted by stongswan before that and what you should do is make an SA from 192.168.0/24 towards the networks of the peer.

1 Like