[strongSwan] Source routing with StrongSwan
hoggins at radiom.fr
Wed Dec 14 17:35:18 CET 2016
Le 14/12/2016 à 00:52, Noel Kuntze a écrit :
> On 14.12.2016 00:04, Hoggins! wrote:
>> I... guess I would know how to do it, but pardon me, I couldn't find
>> what I need on the vast Internetz. I know how to mark packets and to
>> route them accordingly, but I might be missing something here, because
>> I'm still stuck at a point where iproute tells me that the remote
>> network is unreachable.
> That's because "via" is only usable when there's a broadcast domain. IPsec doesn't have one.
> There aren't multiple next hops in an IPsec tunnel. There's only one. The remote peer.
Yep, that makes perfect sense, indeed.
>> I know you're not here to provide a bunch of commands to help me get
>> started, but maybe just a "recipe" ? Something like "first, mark your
>> packets coming from blah and using bleh, then add a rule to handle
>> these, then... etc."
> set mark_out on the tunnel configuration, then mark the packets you want to put into the SA with that mark in iptables.
Alas, I'm afraid that by "iptables", you are referring to the remote
Strongswan peer, on the same network as my desired final gateway. I have
no control over this machine, and I cannot set any iptables rule on this
I'll have to ask my provider (french hosting company / ISP named "OVH"),
but I don't think they'll be able to do anything like that for me.
Or.. I misunderstood your advice ;)
>> The thing is that I looked at the archives of this list and I found a
>> schema that you provided, showing the whole netfilter chains with IPSec
>> in the middle... but even then, I'm not sure I can successfully use that
I'm really trying to apply recipes from giant books, like a young
sorcerer not exactly aware of what he's doing. That may explain my
clumsiness on that subject.
Thanks for the help anyway !
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the Users