[strongSwan] Colliding subnets, NETMAP and charon/pluto

Andreas Steffen andreas.steffen at strongswan.org
Sun Sep 14 17:42:17 CEST 2014

Hi Dennis,

A long time ago I created two example scenarios which use XFRM marks:


where two roadwarriors are using the same subnet on their local
side and


where both subnets connected by a site-to-site tunnel are using
the same subnet address space. These scenarios might be of some help
to you.

Best regards


On 14.09.2014 16:55, Dennis Jacobfeuerborn wrote:
> Hi Noel,
> do you have a practical example for this? I added mark_in=2 and
> mark_out=3 in the configuration but after restarting everything I don't
> see any lines like "mark 2/0xffffffff" in the output of "ip xfrm policy".
> I'm not wedded to any particular method to accomplish this so what I'm
> really interested in is given a working Tunnel that looks like this:
> SubnetA <-> (tunnel) <-> SubnetB
> what specific changes to the configuration and/or scripts (if any) are
> required to change this into:
> SubnetA <NAT> FakeSubnetA <-> (tunnel) <-> SubnetB
> If searched the web but while I found lots of theoretical explanations
> how this can be accomplished but no practical examples how this is set
> up using strongswan.
> Regards,
>    Dennis
> On 12.09.2014 20:17, Noel Kuntze wrote:
>> Hello Dennis,
>> You can use the mark_in and mark_out options to have policies for both subnets.
>> You then need to use iptables to distinguish traffic for and from the different idential
>> subnets and mark it appropriately using -j MARK {parameters}.
>> The _updown and _updown_espmark are actually a legacy thing but are used and invoked by charon, too.
>> Modify it appropriately to insert the rules. The file works correctly by default.
>> Of course, you can also use netmap instead.
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 12.09.2014 um 17:33 schrieb Dennis Jacobfeuerborn:
>>> Hi,
>>> I've set up a couple of IPSEC tunnels using Strongswan so far and it
>>> works great however now I've hit a little bump.
>>> I need to set up a tunnel where the /24 subnets on both sides collide.
>>> After some reading it seems that I need to set up an additional /24
>>> subnet on my end which will be used as the subnet of the tunnel and then
>>> use iptables NETMAP rules to NAT IPs from this "fake" subnet to the real
>>> one and back.
>>> Apparently the Strongswan RPM I'm using comes with a script
>>> "_updown_espmark" that is supposed to do something like that but it
>>> seems to have been written for the pluto daemon and its interfaces even
>>> though Strongswan now comes with charon.
>>> If the actual subnet I want to use is and the "fake" one for
>>> NATing purposes is what iptables rules would I need make
>>> this work?
>>> Regards,
>>>    Dennis
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140914/d64a788a/attachment-0001.bin>

More information about the Users mailing list