DigitalOcean

Report this

What is the reason for this report?
Question

How to forward traffic from Pub IP of VPN Gateway A to VPN Gateway B internal Host

Posted on July 31, 2020
VPN
Daiko

By Daiko

I setup a IPSec connection from a VPN GW-A to VPN GW-B, hosts in VPN A subnet can send packets to hosts in VPN B subnet and vice-verse.

VPN GW-A is Ubuntu Server.

I need to connect to GW-A pub IP on port 9876 and route/forward to host in the GW-B subnet to the same port 9876.

What i did

net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

-A PREROUTING -d GW-A/32 -p tcp -m tcp --dport 9876 -j DNAT --to-destination HOST-B:9876 -A POSTROUTING -s HOST-B/32 -d GW-A/32 -p tcp -m tcp --sport 9876 --dport 9876

My tcpdump log when try to connect to GW-A on port 9876 is

12:07:51.830469 IP CLIENT.60364 > GW-A.9876: Flags [SEW], seq 2029591603, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 12:07:51.830520 IP GW-A.60364 > HOST-B.9876: Flags [SEW], seq 2029591603, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 12:07:57.898877 IP CLIENT.60364 > GW-A.9876: Flags [S], seq 2029591603, win 8192, options [mss 1460,nop,nop,sackOK], length 0 12:07:57.898928 IP GW-A.60364 > HOST-B.9876: Flags [S], seq 2029591603, win 8192, options [mss 1460,nop,nop,sackOK], length 0



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
alexdo
alexdo
June 30, 2023

Heya,

Just came across this answer and decided to write some general guidelines for anyone who comes across this in the future despite the old question.

Based on your tcpdump log, it’s clear that your forwarded packets are reaching HOST-B, but it seems as though there’s no response coming back. This could be due to a few reasons:

  1. HOST-B is not accepting or responding to the packets. You should make sure that your application on HOST-B is accepting connections on port 9876.

  2. The return packets might be not correctly routed back to the client through GW-A. Make sure you’ve configured your POSTROUTING rules correctly.

You can use the iptables -t nat -L -n -v command to verify your rules.

Remember to make any iptables configuration changes, and always test your configuration after applying it.

Hope that this helps!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.