in the process of setting up strongswan for remote access VPN on a Linux router. clients are assigned ips in the 192.168.251.0/24 subnet. clients can connect in from the internet, and can access subnets behind the router. I have an iptables source NAT rule that translates traffic with source IP of 192.168.251.0/24 to the address of the external interface of the router. Clients can ping out to the internet, and iptables is successfully NATing the pings. However, any other kind of traffic doesn't get NATted; the router sends it out to the internet with the original 192.168.251.0 address, which of course is unroutable. This makes absolutely no sense; why is ping traffic NATted but everything else isn't?
Here is my NAT table. I am ACCEPTing traffic with destination port 4500 and source address of 192.168.251.0/24 in both my INPUT and FORWARD chains of the filter table.
Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.0.0/16 -o external -j MASQUERADE
-A POSTROUTING -s 10.11.12.0/24 -o external -j MASQUERADE
-A POSTROUTING -s 192.168.251.0/24 -o external -j SNAT --to-source 98.240.13.217
tcpdump on the external interface definitely shows VPN traffic exiting the router with private IPs of 192.168.251.x still intact, meaning the traffic isn't getting NATted. as well, "iptables -t nat -nvxL" shows the SNAT rule hut count staying at 0.
I have tried using MASQUERADE instead of SNAT for that last VPN subnet rule ("-A POSTROUTING -s 192.168.251.0/24 -o external -j MASQUERADE") which of course did not work either.