[strongSwan] Colliding subnets, NETMAP and charon/pluto
Dennis Jacobfeuerborn
dennisml at conversis.de
Sun Sep 14 18:25:49 CEST 2014
Hi Noel,
never mind. It looks like I was just over-thinking this and neither
marks nor scripts are necessary to accomplish my goal.
For anybody else who might stumble upon this post searching for
something similar here is an example:
left real subnet: 10.22.24.0/24
left NAT subnet : 172.21.10.0/24
right subnet : 10.1.3.0/24
iptables -t nat -A POSTROUTING -s 10.22.24.0/24 -d 10.1.3.0/24 -j NETMAP
–to 172.21.10.0/24
iptables -t nat -A PREROUTING -s 10.1.3.0/24 -d 172.21.10.0/24 -j NETMAP
–to 10.22.24.0/24
With these two iptables rules the traffic gets NATed correctly between
the two subnets.
Regards,
Dennis
On 14.09.2014 16:55, Dennis Jacobfeuerborn wrote:
> Hi Noel,
> do you have a practical example for this? I added mark_in=2 and
> mark_out=3 in the configuration but after restarting everything I don't
> see any lines like "mark 2/0xffffffff" in the output of "ip xfrm policy".
> I'm not wedded to any particular method to accomplish this so what I'm
> really interested in is given a working Tunnel that looks like this:
>
> SubnetA <-> (tunnel) <-> SubnetB
>
> what specific changes to the configuration and/or scripts (if any) are
> required to change this into:
>
> SubnetA <NAT> FakeSubnetA <-> (tunnel) <-> SubnetB
>
> If searched the web but while I found lots of theoretical explanations
> how this can be accomplished but no practical examples how this is set
> up using strongswan.
>
> Regards,
> Dennis
>
> On 12.09.2014 20:17, Noel Kuntze wrote:
>>
>> Hello Dennis,
>>
>> You can use the mark_in and mark_out options to have policies for both subnets.
>> You then need to use iptables to distinguish traffic for and from the different idential
>> subnets and mark it appropriately using -j MARK {parameters}.
>> The _updown and _updown_espmark are actually a legacy thing but are used and invoked by charon, too.
>> Modify it appropriately to insert the rules. The file works correctly by default.
>> Of course, you can also use netmap instead.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 12.09.2014 um 17:33 schrieb Dennis Jacobfeuerborn:
>>> Hi,
>>> I've set up a couple of IPSEC tunnels using Strongswan so far and it
>>> works great however now I've hit a little bump.
>>> I need to set up a tunnel where the /24 subnets on both sides collide.
>>> After some reading it seems that I need to set up an additional /24
>>> subnet on my end which will be used as the subnet of the tunnel and then
>>> use iptables NETMAP rules to NAT IPs from this "fake" subnet to the real
>>> one and back.
>>
>>> Apparently the Strongswan RPM I'm using comes with a script
>>> "_updown_espmark" that is supposed to do something like that but it
>>> seems to have been written for the pluto daemon and its interfaces even
>>> though Strongswan now comes with charon.
>>
>>> If the actual subnet I want to use is 10.1.0.0/24 and the "fake" one for
>>> NATing purposes is 192.168.0.0/24 what iptables rules would I need make
>>> this work?
>>
>>> Regards,
>>> Dennis
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list