[strongSwan] strongswan routing

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 13 14:27:24 CEST 2011

The XFRM marks feature was rather intended for multiple peers which
have the same subnet (e.g. so that these subnets
must mapped via address translation to distinct subnets after ESP
decapsulation. See also our example under the link


If your peers have distinct subnets but if you don't want them
to access the same routes/subnets on the gateway side then you
can set up IPsec policy rules based e.g. on rightid wildcards.

If you want to control access via iptables then you must set
a mark on the inbound encrypted ESP packets via an iptables
mangle rule in the INPUT chain via a customized updown script.

I suggest to draw up a scenario of what you intend to do.



On 06/13/2011 02:04 PM, Alexandre Chapellon wrote:
> Hello,
> I have a VPN gateway i'd like to use for several cutomers. Some of them
> may share the same IP subnets.
> In order to avoid conflicting routing, and to ensure isolation, I'd like
> to "bind" each customer to its own routing tables using iproute2. I have
> seen an option in strongswan that seems really interresting to achieve
> this, but apparently it doen't work as I expect: the mark[_in|_out] option.
> I supposed that using this option would apply an fwmark to packet that
> belong to the connection it comes from/to, and so I expected such
> packets to be match-able by iptables and iproute... Unfortunately it
> doesn't... well at least it doesn't with my config.
> Did I missunderstood this options?

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list