<div dir="ltr">I did some more digging up and found this to be closest to what I want.<div><br><div><a href="http://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html">http://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html</a><br>
</div><div><br></div><div style>Just an FYI, I have Strongswan installed and working in many scenarios including iOS connections, Android connections, and also site-to-site VPN connections all working in parallel. The site-to-site connections work as long as the subnets behind the right (Cisco ASA) devices are unique and not overlapping. Unfortunately, in my setup both have <a href="http://192.168.1.0/24">192.168.1.0/24</a> as I mentioned in the earlier post.</div>
<div style><br></div><div style>The console.log of nat-rw-mark shows how iptables SNAT is applied in the POSTROUTING chain to differentiate the connections from alice and venus at bob. My scenario is slightly different in the sense that I want to redirect packets from alice and venus to a squid proxy on "sun". That means, I won't have the opportunity to apply the SNAT in POSTROUTING chain.</div>
<div style><br></div><div style>At the moment, I am planning to follow this example with a small variation. I'd have squid listen on multiple ports, with a dedicated port for each of the connecting routers (alice and venus in this example) and do DNAT in the PREROUTING chain. On squid I can then use the unique port number as the unique identifier.</div>
<div style><br></div><div style>I'd appreciate if anyone can offer a simpler method.</div><div style><br></div><div style>Thanks a lot.</div><div style><br></div><div style>Bharath Kumar</div><div style><br></div><div style>
<br></div><div style><br></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 4, 2013 at 3:24 PM, Bharath Kumar <span dir="ltr"><<a href="mailto:cbkumar@gmail.com" target="_blank">cbkumar@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi All,<div><br></div><div>I have a question on this scenario.</div><div><br></div><div>Left --- Strongswan Gateway</div>
<div>=====================</div><div><br></div><div>
Two connection profiles</div><div><br></div><div>conn cisco-asa-1</div><div> ....</div><div> ....</div><div> left=%defaultroute</div><div> right = <ip-of-cisco-asa-1></div>
<div> rightsubnet=<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div><div><br></div><div><br></div><div>conn cisco-asa-2</div><div> ....</div><div> ....</div><div> left=%defaultroute</div>
<div> right = <ip-of-cisco-asa-2></div><div> rightsubnet = <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div><div><br></div><div><br></div><div>As you can see, the rightsubnet is same for both connection profiles. I want to be able to determine which tunnels the packets came thru when I receive packets from remote hosts, say 192.168.1.9.</div>
<div><br></div><div>Is there any way to do that? Any help is greatly appreciated!</div><div><br></div><div><br></div><div>Thanks,</div><div>Bharath Kumar</div><div><br></div><div>
<br></div><div><br></div><div> <br></div></div>
</blockquote></div><br></div>