[strongSwan] nfs across strongswan

Noel Kuntze noel at familie-kuntze.de
Wed Sep 24 09:25:55 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Cindy,

First of all: You can excempt some traffic from nating, if you ACCEPT
it before the nat rule.
e.g. POSTROUTING *nat:
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -d myNFSServer -m policy --pol ipsec --dir in -j ACCEPT
- -t nat -A POSTROUTING -s myVirtualIPNetwork/24 -m policy --pol ipsec --dir in -j MASQUERADE

Do NOT, I REPEAT, DO NOT mount or unmount the nfs share with the updown script!
The problem is that ...
 a) You can't successfully unmount the share with the updown script,
    because the corresponding hook is called _after_ the tunnel was torn down.
 b) You can get problems with accessability of the nfs share, if 
    UID and GID of the local user and the owner of the file mismatch!
    You need to force the remote file owner to be mapped to the local user 
    by using the corresponding flags in the mount definition either on mount
    time or in /etc/fstab.

You can set up different shares for different roadwarriors by assigning different IPs to them,
but assigning the same one for the same roadwarrior identity. For this, you need a persistent
virtual IP pool. You do this by using an SQL backend. See [1] for an example.

Setting up an export for those virtual IPs should be quite easy.
You might need to do some custom scripting though to retrieve the virtual IP
that corresponds to the different users and modifying /etc/exports correctly.

As the pool is stored in an SQL database, you might want to use mysql as backend,
as it performs better than using sqlite and has a command line utility to perform
queries.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.09.2014 um 07:06 schrieb Cindy Moore:
> Has anyone managed this?
> Set up an export to a virtual ip.
> Set up a strongswan conn to assign that virtual ip to a specific roadwarrior.
> Have that roadwarrior successfully nfs mount the directory once
> connected to the vpn.
> 
> ???
> 
> I find no examples resembling this.  I'm stumped in this process
> because all the roadwarriors, even though assigned virtual ip's
> correctly according to their tun0 settings, are presenting themselves
> as having the ip address of the vpn server, which I assume is because
> it's natting everything.  I'm at a loss as to how to get around this,
> so if someone has done this, I would LOVE to see your conf files and
> your iptable setup, please, please?
> 
> Thanks
> Cindy
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUInICAAoJEDg5KY9j7GZYS64P/22b7ssSlU+QRa4R2hoXfhRG
8qpGPVo3qcDRgUcliEcKpvT8llA2+vV083raY792qJj4i/mB+yICcRxzVBtgAo37
9AZTwrUml7LcnjysZiU59a8Dl0zoSBnGtjqxyGN0HuazptoQpS5fmEvuzl0rzwW2
+BzkTuqZ36nnI7MHdT1t3WcePvOlbz6CPFOSgM5uujtFgVg82a9gRR2JB7M4kkuS
tDu426RrvkcS3EBVpXTYCFo66ql2mEgzgVBTi9jhAjxWhuqfgm0gS0HSgdHtlvj6
byHC7xcS0zTd+Jf4PIvO8ykrjWD8fkDhcuny2MRiParACVJxhKZtBhRxTG578mR6
NFgOVXHK6jzDR2fCmDRCqz/8bt9rh+FrHNOhV8SFVqCTjxXE46Z+sqXWKbROi7ZQ
Z3KQdjTa1IGIYggKRJS8g6JY4ckfxceKMfMdCdw0bPIOyXlDuYYucBLaFYZ7yKMm
IqL4Ygcnjhlrm+KBedD72c6R933EuypKorPD7wD4nEWl9DAlcpDHLS9zgOnnWpGT
HE3aR5yjA9dc8hYxIrp1shAZPCh62KOvVgVNTMPn/RrJ9Ert5pjK0vdhLheI3790
VyjZtHaiEqh/UaEOKK97/bIhY8mgq/QmMRoHjYhqBm39zCQvMAiXh1rxs8Ple5fU
FnpGkKJ6DhGnUZq41BxM
=PPRt
-----END PGP SIGNATURE-----


More information about the Users mailing list