SNAT problem


#1

Hello let me ask questions about an SNAT problem I have.
It keeps occuring about once a week, and I need to restart strongSwan manually to fix it.
I’m using VyOS 1.1.7, updated from EC2 instances(m3.large) created from the AWS marketplace
https://aws.amazon.com/marketplace/pp/B00JK5UPF6.
I’m using two VyOS boxes to connect two AWS regions to our data center.
VyOS1(AWS US) -> VyOS2(AWS Tokyo) -> On premise data center
Between VyOS1 and VyOS2, packets are encrypted by IPsec and the source IP addresses are translated to the eth0 interface of VyOS2.
We do this as the IP address for VyOS1 is not permitted to directly access our data center (ACL).
But VyOS1 sometimes fails to access the data center because SNAT stops working properly.
I did a packet capture (tcpdump) for the VyOS2’s outbound traffic to our data center.
And I found the source IP address of the packets was not being translated, so they had the VyOS1’s IP.
I restarted strongSwan manually by the commands below:
service ipsec stop
service ipsec start
I also added LOG for iptables PREROUTING and POSTROUTING chains as the first rule.
And, I found the POSTROUTING chain was not giving any output logs, while PREROUTING was properly working and giving output logs for every packet.
I’m attaching the configuration for VyOS1 and VyOS2.

Any hints on how to fix this?