[strongSwan] Colliding subnets, NETMAP and charon/pluto
Noel Kuntze
noel at familie-kuntze.de
Fri Sep 12 20:17:14 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Dennis,
You can use the mark_in and mark_out options to have policies for both subnets.
You then need to use iptables to distinguish traffic for and from the different idential
subnets and mark it appropriately using -j MARK {parameters}.
The _updown and _updown_espmark are actually a legacy thing but are used and invoked by charon, too.
Modify it appropriately to insert the rules. The file works correctly by default.
Of course, you can also use netmap instead.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 12.09.2014 um 17:33 schrieb Dennis Jacobfeuerborn:
> Hi,
> I've set up a couple of IPSEC tunnels using Strongswan so far and it
> works great however now I've hit a little bump.
> I need to set up a tunnel where the /24 subnets on both sides collide.
> After some reading it seems that I need to set up an additional /24
> subnet on my end which will be used as the subnet of the tunnel and then
> use iptables NETMAP rules to NAT IPs from this "fake" subnet to the real
> one and back.
>
> Apparently the Strongswan RPM I'm using comes with a script
> "_updown_espmark" that is supposed to do something like that but it
> seems to have been written for the pluto daemon and its interfaces even
> though Strongswan now comes with charon.
>
> If the actual subnet I want to use is 10.1.0.0/24 and the "fake" one for
> NATing purposes is 192.168.0.0/24 what iptables rules would I need make
> this work?
>
> Regards,
> Dennis
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUEziqAAoJEDg5KY9j7GZYxJUP/2w/XniOhO8B8ZS995VCQqJj
sBe0hdgrYdAV1f6j1nJTRT8RS64tRk9BrHU59zK4VKf6Pf1BrSv+zQfjB6vPqPpU
IxxL1jeAkEZUoL9eiQ7dHWSsn67P05K96Zalp25RQIF9ciht+ljisvkblD7ESWz8
dgevX6PkUmo748lByrixkkktAIukCrSeRTi0oEGWnDEOQO4yWteoG20NP2QizVA/
ZraO4j3Z04qfGkFSE3BAfcL8nkURVVBywzdjKd2by2lymt/UjEfB+8DARzMuy4OD
roZei9aVkrJzEadyPvUaQQpffMfQoeUCzfG8/H1eCzzUm041rztjjyyyaS0xiYYl
he6q4HoMOejoeu0vLYDaSmrr08gpfyv2ATftWJVG0PSGJQdHRoHqRiLwt/XtTpGe
7Z7w2NSin27QW8vWpzn2D2zZ6V2d3x/LyhBKnd33RHK2ChQinYb8pRTgM231oePx
vMwTA7NTeG1INahOh8BBadwhkUV8tSg60hgWfYFOkx+t4EX7QG7XaOmJ6rJlyY7B
geCghdxlftKVrJSDvpvKnMEkcSFZ/KLYb3gOI+aQRWjwiOaCRP4y//6QU/ddegCr
aswFxQRaDNjmPsy1/FrD4YnlQT2RA0gyM3Ka0u/ipnplzFQ35oOxxIM2hUlM5iLk
IFoaZPqxkzBtjtNNyPu1
=uuH6
-----END PGP SIGNATURE-----
More information about the Users
mailing list