[strongSwan-dev] StrongSwan+NETKEY and overlapping IP subnets

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 15 05:49:44 CET 2011 

Hello Ansis,

have you had a look at the following scenario

http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/

which uses XFRM marks to map identical remote networks to
different ones?

Regards

Andreas

On 03/15/2011 01:45 AM, Ansis Atteka wrote:
> Hello,
> 
> Here is a problem I am trying to solve: We have multiple IPsec clients
> that connect to the same IPsec server. This IPsec Server acts as a
> "gateway" to the Internet for all computers that are behind those
> IPsec clients (see diagram below). The problem is that subnets between
> these IPsec clients might overlap and we do not have control over
> them, hence we would like to implement a kernel driver that translates
> IP addresses from (private_ip, SPI) -----> unique_ip (and also to the
> other direction) on the IPsec server. But to be able to implement this
> IP translator as a kernel driver we must be able to get/put extra
> context (probably, Security Parameter Index) from/to XFRM framework.
> 
> Within OpenSwan+KLIPS the feature that allows to accomplish this is
> called "SAref tracking". I am wondering if there is something similar
> implemented for StrongSwan+NETKEY combination? So far I have looked
> into XFRM framework and It seems that it would need a couple of
> changes there. I am wondering if this could have already been or is
> going to be implemented by some other means in StrongSwan and NETKEY?
> 
> Also there are some performance considerations why we would like to
> rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) +
> KLIPS.
> 
> 
> Here is a sample Networking diagram:
> 
> IpsecClient1<--- Computer1 (192.168.0.100/24)
>   |
>   |
>   Internet
>   |
>   v
> IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to
> 10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP ------->
> Internet
>   ^
>   |
>   Internet
>   |
>   |
> IpsecClient2<--- Computer2 (192.168.0.100/24)
> 
> 
> Regards,
> Ansis
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list