[strongSwan] Colliding subnets, NETMAP and charon/pluto

Sun Sep 14 17:42:17 CEST 2014

Hi Dennis,

A long time ago I created two example scenarios which use XFRM marks:

http://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/

where two roadwarriors are using the same subnet on their local
side and

http://www.strongswan.org/uml/testresults/ikev2/net2net-same-nets

where both subnets connected by a site-to-site tunnel are using
the same subnet address space. These scenarios might be of some help
to you.

Best regards

Andreas

On 14.09.2014 16:55, Dennis Jacobfeuerborn wrote:
> Hi Noel,
> do you have a practical example for this? I added mark_in=2 and
> mark_out=3 in the configuration but after restarting everything I don't
> see any lines like "mark 2/0xffffffff" in the output of "ip xfrm policy".
> I'm not wedded to any particular method to accomplish this so what I'm
> really interested in is given a working Tunnel that looks like this:
>
> SubnetA <-> (tunnel) <-> SubnetB
>
> what specific changes to the configuration and/or scripts (if any) are
> required to change this into:
>
> SubnetA <NAT> FakeSubnetA <-> (tunnel) <-> SubnetB
>
> If searched the web but while I found lots of theoretical explanations
> how this can be accomplished but no practical examples how this is set
> up using strongswan.
>
> Regards,
>    Dennis
>
> On 12.09.2014 20:17, Noel Kuntze wrote:
>>
>> Hello Dennis,
>>
>> You can use the mark_in and mark_out options to have policies for both subnets.
>> You then need to use iptables to distinguish traffic for and from the different idential
>> subnets and mark it appropriately using -j MARK {parameters}.
>> The _updown and _updown_espmark are actually a legacy thing but are used and invoked by charon, too.
>> Modify it appropriately to insert the rules. The file works correctly by default.
>> Of course, you can also use netmap instead.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 12.09.2014 um 17:33 schrieb Dennis Jacobfeuerborn:
>>> Hi,
>>> I've set up a couple of IPSEC tunnels using Strongswan so far and it
>>> works great however now I've hit a little bump.
>>> I need to set up a tunnel where the /24 subnets on both sides collide.
>>> After some reading it seems that I need to set up an additional /24
>>> subnet on my end which will be used as the subnet of the tunnel and then
>>> use iptables NETMAP rules to NAT IPs from this "fake" subnet to the real
>>> one and back.
>>
>>> Apparently the Strongswan RPM I'm using comes with a script
>>> "_updown_espmark" that is supposed to do something like that but it
>>> seems to have been written for the pluto daemon and its interfaces even
>>> though Strongswan now comes with charon.
>>
>>> If the actual subnet I want to use is 10.1.0.0/24 and the "fake" one for
>>> NATing purposes is 192.168.0.0/24 what iptables rules would I need make
>>> this work?
>>
>>> Regards,
>>>    Dennis
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140914/d64a788a/attachment-0001.bin>