[strongSwan] Overlapping rightsubnets - Is it possible to determine on which tunnel packet arrived?
cbkumar at gmail.com
Sat Apr 6 04:42:48 CEST 2013
I did some more digging up and found this to be closest to what I want.
Just an FYI, I have Strongswan installed and working in many scenarios
including iOS connections, Android connections, and also site-to-site VPN
connections all working in parallel. The site-to-site connections work as
long as the subnets behind the right (Cisco ASA) devices are unique and not
overlapping. Unfortunately, in my setup both have 192.168.1.0/24 as I
mentioned in the earlier post.
The console.log of nat-rw-mark shows how iptables SNAT is applied in the
POSTROUTING chain to differentiate the connections from alice and venus at
bob. My scenario is slightly different in the sense that I want to redirect
packets from alice and venus to a squid proxy on "sun". That means, I won't
have the opportunity to apply the SNAT in POSTROUTING chain.
At the moment, I am planning to follow this example with a small variation.
I'd have squid listen on multiple ports, with a dedicated port for each of
the connecting routers (alice and venus in this example) and do DNAT in the
PREROUTING chain. On squid I can then use the unique port number as the
I'd appreciate if anyone can offer a simpler method.
Thanks a lot.
On Thu, Apr 4, 2013 at 3:24 PM, Bharath Kumar <cbkumar at gmail.com> wrote:
> Hi All,
> I have a question on this scenario.
> Left --- Strongswan Gateway
> Two connection profiles
> conn cisco-asa-1
> right = <ip-of-cisco-asa-1>
> conn cisco-asa-2
> right = <ip-of-cisco-asa-2>
> rightsubnet = 192.168.1.0/24
> As you can see, the rightsubnet is same for both connection profiles. I
> want to be able to determine which tunnels the packets came thru when I
> receive packets from remote hosts, say 192.168.1.9.
> Is there any way to do that? Any help is greatly appreciated!
> Bharath Kumar
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users