[strongSwan] strongswan routing
Alexandre Chapellon
a.chapellon at horoa.net
Mon Jun 13 14:59:17 CEST 2011
Here is something concrete:
| cutomer1 LAN | ipsec tunnel1
VLAN1
|_192.168.1.0/24_|============| STRONGSWAN
|-------------------------|_customer1_hosted_machine_|
|
VPN |
| 192.168.1.0/24
|============|____GATEWAY___|-------------------------|_customer2_hosted_machine_|
| _cutomer1_LAN_| ipsec tunnel2
VLAN2
I hope the upper schema will be clear enough...
So, My two right peers share the same IP subnet and are connected to the
same VPN gateway. Behind that gateway I have several VLANs, each belongs
to a specific customer. Packets comming from VLAN 10 are bound to
rt_tables 10 and packets comming from VLAN 20 must use routing table 20
as defined by ip rules policy (so rules are based on fwmark and iif) ,
so that networks are isolated from each other and *no* traffic can pass
through customer networks.
Today what I do is use a mangle iptables rule to mark packets belonging
to 'ipsec tunnel 1'. Basicly:
Chain PREROUTING (policy ACCEPT 60363 packets, 39M bytes)
pkts bytes target prot opt in out source
destination
1298 328K MARK udp -- * * 77.20.16.13
21.12.5.22 udp spt:4500 dpt:4500 MARK set 0x10
It works, but i'm not sure it's very clean way, and relies on the fact
the right peer have a fixed IP address (as I manually add the rules...
test phase).
That's why I wanted to use "mark[_in|_out]" to help me smoothly and
reliabily mark packets belonging to a specific ipsec tunnel, so I can
forget about mangling rules hooks... Am I clear enough?
Regards.
Le 13/06/2011 14:27, Andreas Steffen a écrit :
> The XFRM marks feature was rather intended for multiple peers which
> have the same subnet (e.g. 192.168.1.0/24) so that these subnets
> must mapped via address translation to distinct subnets after ESP
> decapsulation. See also our example under the link
>
> http://www.strongswan.org/uml/testresults45/ikev2/nat-two-rw-mark/index.html
>
>
> If your peers have distinct subnets but if you don't want them
> to access the same routes/subnets on the gateway side then you
> can set up IPsec policy rules based e.g. on rightid wildcards.
>
> If you want to control access via iptables then you must set
> a mark on the inbound encrypted ESP packets via an iptables
> mangle rule in the INPUT chain via a customized updown script.
>
> I suggest to draw up a scenario of what you intend to do.
>
> Regards
>
> Andreas
>
> On 06/13/2011 02:04 PM, Alexandre Chapellon wrote:
>> Hello,
>>
>> I have a VPN gateway i'd like to use for several cutomers. Some of them
>> may share the same IP subnets.
>> In order to avoid conflicting routing, and to ensure isolation, I'd like
>> to "bind" each customer to its own routing tables using iproute2. I have
>> seen an option in strongswan that seems really interresting to achieve
>> this, but apparently it doen't work as I expect: the mark[_in|_out]
>> option.
>>
>> I supposed that using this option would apply an fwmark to packet that
>> belong to the connection it comes from/to, and so I expected such
>> packets to be match-able by iptables and iproute... Unfortunately it
>> doesn't... well at least it doesn't with my config.
>>
>> Did I missunderstood this options?
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
More information about the Users
mailing list