[strongSwan-dev] StrongSwan+NETKEY and overlapping IP subnets

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 22 11:03:43 CET 2011 

Hello Ansis,

unfortunately XFRM forces you to set marks in both directions
even if they are not needed for the inbound direction.
XFRM cannot do this automatically, you must set the marks
externally e.g. using iptables.

Regards

Andreas

On 22.03.2011 01:01, Ansis Atteka wrote:
> Andreas,
>
> Thank you, that was exactly what I have been looking for! But still
> one thing - can I somehow tell StrongSwan and XFRM so that XFRM puts
> that mark for me automatically without using iptables command from the
> updown script?
> 
> Anyway that is not a big problem, but I am wondering if this by any
> chance could have been already implemented in StrongSwan+NETKEY?
> Because for inbound ESP traffic the packet does not need to be marked
> beforehand just to decapsulate it, right?
> 
> Regards,
> Ansis
> 
> On Mon, Mar 14, 2011 at 9:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hello Ansis,
>>
>> have you had a look at the following scenario
>>
>> http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/
>>
>> which uses XFRM marks to map identical remote networks to
>> different ones?
>>
>> Regards
>>
>> Andreas
>>
>> On 03/15/2011 01:45 AM, Ansis Atteka wrote:
>>> Hello,
>>>
>>> Here is a problem I am trying to solve: We have multiple IPsec clients
>>> that connect to the same IPsec server. This IPsec Server acts as a
>>> "gateway" to the Internet for all computers that are behind those
>>> IPsec clients (see diagram below). The problem is that subnets between
>>> these IPsec clients might overlap and we do not have control over
>>> them, hence we would like to implement a kernel driver that translates
>>> IP addresses from (private_ip, SPI) -----> unique_ip (and also to the
>>> other direction) on the IPsec server. But to be able to implement this
>>> IP translator as a kernel driver we must be able to get/put extra
>>> context (probably, Security Parameter Index) from/to XFRM framework.
>>>
>>> Within OpenSwan+KLIPS the feature that allows to accomplish this is
>>> called "SAref tracking". I am wondering if there is something similar
>>> implemented for StrongSwan+NETKEY combination? So far I have looked
>>> into XFRM framework and It seems that it would need a couple of
>>> changes there. I am wondering if this could have already been or is
>>> going to be implemented by some other means in StrongSwan and NETKEY?
>>>
>>> Also there are some performance considerations why we would like to
>>> rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) +
>>> KLIPS.
>>>
>>>
>>> Here is a sample Networking diagram:
>>>
>>> IpsecClient1<--- Computer1 (192.168.0.100/24)
>>>   |
>>>   |
>>>   Internet
>>>   |
>>>   v
>>> IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to
>>> 10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP ------->
>>> Internet
>>>   ^
>>>   |
>>>   Internet
>>>   |
>>>   |
>>> IpsecClient2<--- Computer2 (192.168.0.100/24)
>>>
>>>
>>> Regards,
>>> Ansis

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list