[strongSwan] strongswan routing

[Andreas Steffen]

The XFRM marks feature was rather intended for multiple peers which
have the same subnet (e.g. 192.168.1.0/24) so that these subnets
must mapped via address translation to distinct subnets after ESP
decapsulation. See also our example under the link

http://www.strongswan.org/uml/testresults45/ikev2/nat-two-rw-mark/index.html

If your peers have distinct subnets but if you don't want them
to access the same routes/subnets on the gateway side then you
can set up IPsec policy rules based e.g. on rightid wildcards.

If you want to control access via iptables then you must set
a mark on the inbound encrypted ESP packets via an iptables
mangle rule in the INPUT chain via a customized updown script.

I suggest to draw up a scenario of what you intend to do.

Regards

Andreas

On 06/13/2011 02:04 PM, Alexandre Chapellon wrote:
> Hello,
>
> I have a VPN gateway i'd like to use for several cutomers. Some of them
> may share the same IP subnets.
> In order to avoid conflicting routing, and to ensure isolation, I'd like
> to "bind" each customer to its own routing tables using iproute2. I have
> seen an option in strongswan that seems really interresting to achieve
> this, but apparently it doen't work as I expect: the mark[_in|_out] option.
>
> I supposed that using this option would apply an fwmark to packet that
> belong to the connection it comes from/to, and so I expected such
> packets to be match-able by iptables and iproute... Unfortunately it
> doesn't... well at least it doesn't with my config.
>
> Did I missunderstood this options?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==