[strongSwan] Source routing with StrongSwan

Hoggins! hoggins at radiom.fr
Wed Dec 14 17:35:18 CET 2016


Le 14/12/2016 à 00:52, Noel Kuntze a écrit :
> On 14.12.2016 00:04, Hoggins! wrote:
>> I... guess I would know how to do it, but pardon me, I couldn't find
>> what I need on the vast Internetz. I know how to mark packets and to
>> route them accordingly, but I might be missing something here, because
>> I'm still stuck at a point where iproute tells me that the remote
>> network is unreachable.
> That's because "via" is only usable when there's a broadcast domain. IPsec doesn't have one.
> There aren't multiple next hops in an IPsec tunnel. There's only one. The remote peer.

Yep, that makes perfect sense, indeed.

>> I know you're not here to provide a bunch of commands to help me get
>> started, but maybe just a "recipe" ? Something like "first, mark your
>> packets coming from blah and using bleh, then add a rule to handle
>> these, then... etc."
> set mark_out on the tunnel configuration, then mark the packets you want to put into the SA with that mark in iptables.

Alas, I'm afraid that by "iptables", you are referring to the remote
Strongswan peer, on the same network as my desired final gateway. I have
no control over this machine, and I cannot set any iptables rule on this
I'll have to ask my provider (french hosting company / ISP named "OVH"),
but I don't think they'll be able to do anything like that for me.

Or.. I misunderstood your advice ;)

>> The thing is that I looked at the archives of this list and I found a
>> schema that you provided, showing the whole netfilter chains with IPSec
>> in the middle... but even then, I'm not sure I can successfully use that
>> information.

I'm really trying to apply recipes from giant books, like a young
sorcerer not exactly aware of what he's doing. That may explain my
clumsiness on that subject.

Thanks for the help anyway !


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161214/f55b5c78/attachment.sig>

More information about the Users mailing list