[strongSwan] nfs across strongswan
noel at familie-kuntze.de
Wed Sep 24 09:25:55 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
First of all: You can excempt some traffic from nating, if you ACCEPT
it before the nat rule.
e.g. POSTROUTING *nat:
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -d myNFSServer -m policy --pol ipsec --dir in -j ACCEPT
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -m policy --pol ipsec --dir in -j MASQUERADE
Do NOT, I REPEAT, DO NOT mount or unmount the nfs share with the updown script!
The problem is that ...
a) You can't successfully unmount the share with the updown script,
because the corresponding hook is called _after_ the tunnel was torn down.
b) You can get problems with accessability of the nfs share, if
UID and GID of the local user and the owner of the file mismatch!
You need to force the remote file owner to be mapped to the local user
by using the corresponding flags in the mount definition either on mount
time or in /etc/fstab.
You can set up different shares for different roadwarriors by assigning different IPs to them,
but assigning the same one for the same roadwarrior identity. For this, you need a persistent
virtual IP pool. You do this by using an SQL backend. See  for an example.
Setting up an export for those virtual IPs should be quite easy.
You might need to do some custom scripting though to retrieve the virtual IP
that corresponds to the different users and modifying /etc/exports correctly.
As the pool is stored in an SQL database, you might want to use mysql as backend,
as it performs better than using sqlite and has a command line utility to perform
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 24.09.2014 um 07:06 schrieb Cindy Moore:
> Has anyone managed this?
> Set up an export to a virtual ip.
> Set up a strongswan conn to assign that virtual ip to a specific roadwarrior.
> Have that roadwarrior successfully nfs mount the directory once
> connected to the vpn.
> I find no examples resembling this. I'm stumped in this process
> because all the roadwarriors, even though assigned virtual ip's
> correctly according to their tun0 settings, are presenting themselves
> as having the ip address of the vpn server, which I assume is because
> it's natting everything. I'm at a loss as to how to get around this,
> so if someone has done this, I would LOVE to see your conf files and
> your iptable setup, please, please?
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users