[strongSwan-dev] StrongSwan+NETKEY and overlapping IP subnets

Ansis Atteka ansisatteka.dev at gmail.com
Tue Mar 22 01:01:21 CET 2011 

Andreas,

Thank you, that was exactly what I have been looking for! But still
one thing - can I somehow tell StrongSwan and XFRM so that XFRM puts
that mark for me automatically without using iptables command from the
updown script?

Anyway that is not a big problem, but I am wondering if this by any
chance could have been already implemented in StrongSwan+NETKEY?
Because for inbound ESP traffic the packet does not need to be marked
beforehand just to decapsulate it, right?

Regards,
Ansis

On Mon, Mar 14, 2011 at 9:49 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Ansis,
>
> have you had a look at the following scenario
>
> http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/
>
> which uses XFRM marks to map identical remote networks to
> different ones?
>
> Regards
>
> Andreas
>
> On 03/15/2011 01:45 AM, Ansis Atteka wrote:
>> Hello,
>>
>> Here is a problem I am trying to solve: We have multiple IPsec clients
>> that connect to the same IPsec server. This IPsec Server acts as a
>> "gateway" to the Internet for all computers that are behind those
>> IPsec clients (see diagram below). The problem is that subnets between
>> these IPsec clients might overlap and we do not have control over
>> them, hence we would like to implement a kernel driver that translates
>> IP addresses from (private_ip, SPI) -----> unique_ip (and also to the
>> other direction) on the IPsec server. But to be able to implement this
>> IP translator as a kernel driver we must be able to get/put extra
>> context (probably, Security Parameter Index) from/to XFRM framework.
>>
>> Within OpenSwan+KLIPS the feature that allows to accomplish this is
>> called "SAref tracking". I am wondering if there is something similar
>> implemented for StrongSwan+NETKEY combination? So far I have looked
>> into XFRM framework and It seems that it would need a couple of
>> changes there. I am wondering if this could have already been or is
>> going to be implemented by some other means in StrongSwan and NETKEY?
>>
>> Also there are some performance considerations why we would like to
>> rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) +
>> KLIPS.
>>
>>
>> Here is a sample Networking diagram:
>>
>> IpsecClient1<--- Computer1 (192.168.0.100/24)
>>   |
>>   |
>>   Internet
>>   |
>>   v
>> IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to
>> 10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP ------->
>> Internet
>>   ^
>>   |
>>   Internet
>>   |
>>   |
>> IpsecClient2<--- Computer2 (192.168.0.100/24)
>>
>>
>> Regards,
>> Ansis
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/dev
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Dev mailing list