[strongSwan-dev] StrongSwan+NETKEY and overlapping IP subnets

Ansis Atteka ansisatteka.dev at gmail.com
Tue Mar 15 01:45:33 CET 2011


Hello,

Here is a problem I am trying to solve: We have multiple IPsec clients
that connect to the same IPsec server. This IPsec Server acts as a
"gateway" to the Internet for all computers that are behind those
IPsec clients (see diagram below). The problem is that subnets between
these IPsec clients might overlap and we do not have control over
them, hence we would like to implement a kernel driver that translates
IP addresses from (private_ip, SPI) -----> unique_ip (and also to the
other direction) on the IPsec server. But to be able to implement this
IP translator as a kernel driver we must be able to get/put extra
context (probably, Security Parameter Index) from/to XFRM framework.

Within OpenSwan+KLIPS the feature that allows to accomplish this is
called "SAref tracking". I am wondering if there is something similar
implemented for StrongSwan+NETKEY combination? So far I have looked
into XFRM framework and It seems that it would need a couple of
changes there. I am wondering if this could have already been or is
going to be implemented by some other means in StrongSwan and NETKEY?

Also there are some performance considerations why we would like to
rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) +
KLIPS.


Here is a sample Networking diagram:

IpsecClient1<--- Computer1 (192.168.0.100/24)
  |
  |
  Internet
  |
  v
IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to
10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP ------->
Internet
  ^
  |
  Internet
  |
  |
IpsecClient2<--- Computer2 (192.168.0.100/24)


Regards,
Ansis




More information about the Dev mailing list