SNAT iptables does not work when package is encapsulated in esp transport mode

Question

SNAT iptables does not work when package is encapsulated in esp transport mode

I have the following setup, involving one host and a docker container.

On the host, I am setting up an ipsec tunnel connection to a remote gateway.
In the docker container running on the host, I setup a transport mode ipsec connection to another address that is only reachable via the ipsec tunnel set up previously.

To make sure that every package from the docker-container is routed via the ipsec tunnel, I used iptables like so:

sudo ip6tables -j SNAT -t nat -I POSTROUTING 1  -d <vpnSubnet> -s <dockerip> --to-source <virtualip>
sudo ip6tables -j DNAT -t nat -I PREROUTING 1 -d <virtualip> -s <vpnsubnet> --to-destination <dockerip>

The SNAT rule works before I setup the xfrm transport mode connection in the docker. After that, I see a package from the <dockerip> to the address in <vpnsubnet> on the docker0 interface, but not anymore on my wireless interface. If I add a log iptables rule like so:

sudo ip6tables -j LOG -t nat -I POSTROUTING 1  -d <vpnSubnet> -s <dockerip> --log-prefix " [>] Vincent SNAT match"

this log trigger before I set up the ip xfrm tunnel in the docker-container, but not after. How to I make sure that the SNAT rule triggers even if there is an ipsec transport mode setup in the docker-container?

The ip xfrm output (from within the docker container, after setting up the transport mode tunnel) looks like follows (shortened for brevity): ip xfrm state

src <tunnel-ip> dst <docker-container>
        proto esp spi 0x0000385c reqid 101 mode transport
        replay-window 4 
        auth-trunc hmac(md5) <auth-key> 96
        enc cbc(aes) <enc-key>
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src ::/0 dst ::/0 
src <docker-container> dst <tunnel-ip>
        proto esp spi 0x8bc04e63 reqid 100 mode transport
        replay-window 4 
        auth-trunc hmac(md5) <auth-key> 96
        enc cbc(aes) <enc-key>
        anti-replay context: seq 0x0, oseq 0xb, bitmap 0x00000000
        sel src ::/0 dst ::/0

ip xfrm policy

src <tunnel-ip> dst <docker-container>
        dir in priority 0 ptype main flag localok
        mark 0/0xffffffff 
        tmpl src :: dst ::
                proto esp spi 0x0000385c reqid 101 mode transport
src <docker-container> dst <tunnel-ip>
        dir out priority 0 ptype main flag localok
        mark 0/0xffffffff 
        tmpl src :: dst ::
                proto esp spi 0x8bc04e63 reqid 100 mode transport

iptables

nat

ipsec

asked on Server Fault Nov 16, 2020 by

BlockchainThomas

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0