[strongSwan] Colliding subnets, NETMAP and charon/pluto

Dennis Jacobfeuerborn dennisml at conversis.de
Sun Sep 14 16:55:08 CEST 2014 

Hi Noel,
do you have a practical example for this? I added mark_in=2 and
mark_out=3 in the configuration but after restarting everything I don't
see any lines like "mark 2/0xffffffff" in the output of "ip xfrm policy".
I'm not wedded to any particular method to accomplish this so what I'm
really interested in is given a working Tunnel that looks like this:

SubnetA <-> (tunnel) <-> SubnetB

what specific changes to the configuration and/or scripts (if any) are
required to change this into:

SubnetA <NAT> FakeSubnetA <-> (tunnel) <-> SubnetB

If searched the web but while I found lots of theoretical explanations
how this can be accomplished but no practical examples how this is set
up using strongswan.

Regards,
  Dennis

On 12.09.2014 20:17, Noel Kuntze wrote:
> 
> Hello Dennis,
> 
> You can use the mark_in and mark_out options to have policies for both subnets.
> You then need to use iptables to distinguish traffic for and from the different idential
> subnets and mark it appropriately using -j MARK {parameters}.
> The _updown and _updown_espmark are actually a legacy thing but are used and invoked by charon, too.
> Modify it appropriately to insert the rules. The file works correctly by default.
> Of course, you can also use netmap instead.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 12.09.2014 um 17:33 schrieb Dennis Jacobfeuerborn:
>> Hi,
>> I've set up a couple of IPSEC tunnels using Strongswan so far and it
>> works great however now I've hit a little bump.
>> I need to set up a tunnel where the /24 subnets on both sides collide.
>> After some reading it seems that I need to set up an additional /24
>> subnet on my end which will be used as the subnet of the tunnel and then
>> use iptables NETMAP rules to NAT IPs from this "fake" subnet to the real
>> one and back.
> 
>> Apparently the Strongswan RPM I'm using comes with a script
>> "_updown_espmark" that is supposed to do something like that but it
>> seems to have been written for the pluto daemon and its interfaces even
>> though Strongswan now comes with charon.
> 
>> If the actual subnet I want to use is 10.1.0.0/24 and the "fake" one for
>> NATing purposes is 192.168.0.0/24 what iptables rules would I need make
>> this work?
> 
>> Regards,
>>   Dennis
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list