[strongSwan] nfs across strongswan

Noel Kuntze noel at familie-kuntze.de
Wed Sep 24 09:25:55 CEST 2014

Hash: SHA1

Hello Cindy,

First of all: You can excempt some traffic from nating, if you ACCEPT
it before the nat rule.
e.g. POSTROUTING *nat:
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -d myNFSServer -m policy --pol ipsec --dir in -j ACCEPT
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -m policy --pol ipsec --dir in -j MASQUERADE

Do NOT, I REPEAT, DO NOT mount or unmount the nfs share with the updown script!
The problem is that ...
 a) You can't successfully unmount the share with the updown script,
    because the corresponding hook is called _after_ the tunnel was torn down.
 b) You can get problems with accessability of the nfs share, if 
    UID and GID of the local user and the owner of the file mismatch!
    You need to force the remote file owner to be mapped to the local user 
    by using the corresponding flags in the mount definition either on mount
    time or in /etc/fstab.

You can set up different shares for different roadwarriors by assigning different IPs to them,
but assigning the same one for the same roadwarrior identity. For this, you need a persistent
virtual IP pool. You do this by using an SQL backend. See [1] for an example.

Setting up an export for those virtual IPs should be quite easy.
You might need to do some custom scripting though to retrieve the virtual IP
that corresponds to the different users and modifying /etc/exports correctly.

As the pool is stored in an SQL database, you might want to use mysql as backend,
as it performs better than using sqlite and has a command line utility to perform

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.09.2014 um 07:06 schrieb Cindy Moore:
> Has anyone managed this?
> Set up an export to a virtual ip.
> Set up a strongswan conn to assign that virtual ip to a specific roadwarrior.
> Have that roadwarrior successfully nfs mount the directory once
> connected to the vpn.
> ???
> I find no examples resembling this.  I'm stumped in this process
> because all the roadwarriors, even though assigned virtual ip's
> correctly according to their tun0 settings, are presenting themselves
> as having the ip address of the vpn server, which I assume is because
> it's natting everything.  I'm at a loss as to how to get around this,
> so if someone has done this, I would LOVE to see your conf files and
> your iptable setup, please, please?
> Thanks
> Cindy
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list