[strongSwan] Overlapping rightsubnets - Is it possible to determine on which tunnel packet arrived?

Bharath Kumar cbkumar at gmail.com
Sat Apr 6 04:42:48 CEST 2013 

I did some more digging up and found this to be closest to what I want.

http://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html

Just an FYI, I have Strongswan installed and working in many scenarios
including iOS connections, Android connections, and also site-to-site VPN
connections all working in parallel. The site-to-site connections work as
long as the subnets behind the right (Cisco ASA) devices are unique and not
overlapping. Unfortunately, in my setup both have 192.168.1.0/24 as I
mentioned in the earlier post.

The console.log of nat-rw-mark shows how iptables SNAT is applied in the
POSTROUTING chain to differentiate the connections from alice and venus at
bob. My scenario is slightly different in the sense that I want to redirect
packets from alice and venus to a squid proxy on "sun". That means, I won't
have the opportunity to apply the SNAT in POSTROUTING chain.

At the moment, I am planning to follow this example with a small variation.
I'd have squid listen on multiple ports, with a dedicated port for each of
the connecting routers (alice and venus in this example) and do DNAT in the
PREROUTING chain. On squid I can then use the unique port number as the
unique identifier.

I'd appreciate if anyone can offer a simpler method.

Thanks a lot.

Bharath Kumar







On Thu, Apr 4, 2013 at 3:24 PM, Bharath Kumar <cbkumar at gmail.com> wrote:

> Hi All,
>
> I have a question on this scenario.
>
> Left --- Strongswan Gateway
> =====================
>
> Two connection profiles
>
> conn cisco-asa-1
>    ....
>    ....
>    left=%defaultroute
>    right = <ip-of-cisco-asa-1>
>    rightsubnet=192.168.1.0/24
>
>
> conn cisco-asa-2
>    ....
>    ....
>    left=%defaultroute
>    right = <ip-of-cisco-asa-2>
>    rightsubnet = 192.168.1.0/24
>
>
> As you can see, the rightsubnet is same for both connection profiles. I
> want to be able to determine which tunnels the packets came thru when I
> receive packets from remote hosts, say 192.168.1.9.
>
> Is there any way to do that? Any help is greatly appreciated!
>
>
> Thanks,
> Bharath Kumar
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130405/8022282b/attachment.html>

More information about the Users mailing list