[strongSwan] strongswan routing

Alexandre Chapellon a.chapellon at horoa.net
Mon Jun 13 14:59:17 CEST 2011

Here is something concrete:

|  cutomer1 LAN   |   ipsec tunnel1 
|_192.168.1.0/24_|============| STRONGSWAN  
VPN          |
| _cutomer1_LAN_|   ipsec tunnel2 

I hope the upper schema will be clear enough...
So, My two right peers share the same IP subnet and are connected to the 
same VPN gateway. Behind that gateway I have several VLANs, each belongs 
to a specific customer. Packets comming from VLAN 10 are bound to 
rt_tables 10 and packets comming from VLAN 20 must use routing table 20 
as defined by ip rules policy (so rules are based on fwmark and iif) , 
so that networks are isolated from each other and *no* traffic can pass 
through customer networks.
Today what I do is use a mangle iptables rule to mark packets belonging 
to 'ipsec tunnel 1'. Basicly:

Chain PREROUTING (policy ACCEPT 60363 packets, 39M bytes)
  pkts bytes target     prot opt in     out     source               
  1298  328K MARK       udp  --  *      *      udp spt:4500 dpt:4500 MARK set 0x10

It works, but i'm not sure it's very clean way, and relies on the fact 
the right peer have a fixed IP address (as I manually add the rules... 
test phase).
That's why I wanted to use "mark[_in|_out]" to help me smoothly and 
reliabily mark packets belonging to a specific ipsec tunnel, so I can 
forget about mangling rules hooks... Am I clear enough?


Le 13/06/2011 14:27, Andreas Steffen a écrit :
> The XFRM marks feature was rather intended for multiple peers which
> have the same subnet (e.g. so that these subnets
> must mapped via address translation to distinct subnets after ESP
> decapsulation. See also our example under the link
> http://www.strongswan.org/uml/testresults45/ikev2/nat-two-rw-mark/index.html 
> If your peers have distinct subnets but if you don't want them
> to access the same routes/subnets on the gateway side then you
> can set up IPsec policy rules based e.g. on rightid wildcards.
> If you want to control access via iptables then you must set
> a mark on the inbound encrypted ESP packets via an iptables
> mangle rule in the INPUT chain via a customized updown script.
> I suggest to draw up a scenario of what you intend to do.
> Regards
> Andreas
> On 06/13/2011 02:04 PM, Alexandre Chapellon wrote:
>> Hello,
>> I have a VPN gateway i'd like to use for several cutomers. Some of them
>> may share the same IP subnets.
>> In order to avoid conflicting routing, and to ensure isolation, I'd like
>> to "bind" each customer to its own routing tables using iproute2. I have
>> seen an option in strongswan that seems really interresting to achieve
>> this, but apparently it doen't work as I expect: the mark[_in|_out] 
>> option.
>> I supposed that using this option would apply an fwmark to packet that
>> belong to the connection it comes from/to, and so I expected such
>> packets to be match-able by iptables and iproute... Unfortunately it
>> doesn't... well at least it doesn't with my config.
>> Did I missunderstood this options?
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list