[strongSwan] strongswan routing

Alexandre Chapellon a.chapellon at horoa.net
Wed Jun 15 16:51:49 CEST 2011 

Thanks Andreas.

It now works as expected.
The only thing is when doing ip xfrm policy ls I can't see any reference 
to the mark sepcified by mark_in (I have no mark_out).

  ip -s xfrm policy ls
src 172.17.2.0/24 dst 172.20.16.0/24 uid 0
     dir fwd action allow index 27594 priority 1760 ptype main share any 
flag  (0x00000000)
     lifetime config:
       limit: soft (INF)(bytes), hard (INF)(bytes)
       limit: soft (INF)(packets), hard (INF)(packets)
       expire add: soft 0(sec), hard 0(sec)
       expire use: soft 0(sec), hard 0(sec)
     lifetime current:
       0(bytes), 0(packets)
       add 2011-06-15 16:43:58 use 2011-06-15 16:44:01
     tmpl src 77.205.210.149 dst 217.112.53.229
         proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
         level required share any
         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.17.2.0/24 dst 172.20.16.0/24 uid 0
     dir in action allow index 27584 priority 1760 ptype main share any 
flag  (0x00000000)
     lifetime config:
       limit: soft (INF)(bytes), hard (INF)(bytes)
       limit: soft (INF)(packets), hard (INF)(packets)
       expire add: soft 0(sec), hard 0(sec)
       expire use: soft 0(sec), hard 0(sec)
     lifetime current:
       0(bytes), 0(packets)
       add 2011-06-15 16:43:58 use -
     tmpl src 77.205.210.149 dst 217.112.53.229
         proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
         level required share any
         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.20.16.0/24 dst 172.17.2.0/24 uid 0
     dir out action allow index 27577 priority 1760 ptype main share any 
flag  (0x00000000)
     lifetime config:
       limit: soft (INF)(bytes), hard (INF)(bytes)
       limit: soft (INF)(packets), hard (INF)(packets)
       expire add: soft 0(sec), hard 0(sec)
       expire use: soft 0(sec), hard 0(sec)
     lifetime current:
       0(bytes), 0(packets)
       add 2011-06-15 16:43:58 use 2011-06-15 16:44:01
     tmpl src 217.112.53.229 dst 77.205.210.149
         proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
         level required share any
         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src ::/0 dst ::/0 uid 0
...

Does it mean any packet matching the policy but without the mark would 
match the policy? or is it mark are not visible with ip xfrm policy ls? 
Is the later is true how can I ensure mark in part of the policy?

Best regards.

P.S: Do you mind if I send my ifupdown sscript for kind of a validation 
from you?

Le 15/06/2011 09:29, Andreas Steffen a écrit :
> Hello Alexandre,
>
> your configuration should look like this:
>
> conn customer1
>     rightid=<customer 1 ID>
>     leftsubnet=<VLAN1>
>     mark=10
>     also=gateway
>     auto=add
>
> conn customer2
>     rightid=<customer 1 ID>
>     leftsubnet=<VLAN1>
>     mark=20
>     also=gateway
>     auto=add
>
> conn gateway
>     right=%any
>     left=<gateway IP or %any>
>     leftcert=<gateway cert>
>     leftid=<gateway ID>
>     leftupdown=/etc/mark_updown
>
> assuming that your clients have dynamic IP addresses so
> that you must resort to the peer ID to identify the clients.
> You then need a customized mark_updown scripts which uses
> NETMAP to translate the peer networks based on the peer
> identities. You can start from the following scripts:
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown;h=c64158a2f876e79ae2f43c4342d3c2956b483a9d;hb=HEAD 
>
>
> although the scenario is slightly different.
>
> Regards
>
> Andreas
>
> On 06/13/2011 03:10 PM, Alexandre Chapellon wrote:
>> Here is something concrete:
>>
>>
>> | cutomer1 LAN |  ipsectun1                 VLAN1
>> |_192.168.1/24_|============| STRONGSWAN |----------|_customer1_hosted_|
>>                               |            |
>>                               |     VPN    |
>>                               |            |
>> | 192.168.1/24 |============|__GATEWAY___|----------|_customer2_hosted_|
>> |_cutomer2_LAN_|  ipsectun2                 VLAN2
>>
>>
>>
>> Should be better... hopefully.
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list