Hello Ansis, have you had a look at the following scenario
http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/ which uses XFRM marks to map identical remote networks to different ones? Regards Andreas On 03/15/2011 01:45 AM, Ansis Atteka wrote: > Hello, > > Here is a problem I am trying to solve: We have multiple IPsec clients > that connect to the same IPsec server. This IPsec Server acts as a > "gateway" to the Internet for all computers that are behind those > IPsec clients (see diagram below). The problem is that subnets between > these IPsec clients might overlap and we do not have control over > them, hence we would like to implement a kernel driver that translates > IP addresses from (private_ip, SPI) -----> unique_ip (and also to the > other direction) on the IPsec server. But to be able to implement this > IP translator as a kernel driver we must be able to get/put extra > context (probably, Security Parameter Index) from/to XFRM framework. > > Within OpenSwan+KLIPS the feature that allows to accomplish this is > called "SAref tracking". I am wondering if there is something similar > implemented for StrongSwan+NETKEY combination? So far I have looked > into XFRM framework and It seems that it would need a couple of > changes there. I am wondering if this could have already been or is > going to be implemented by some other means in StrongSwan and NETKEY? > > Also there are some performance considerations why we would like to > rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) + > KLIPS. > > > Here is a sample Networking diagram: > > IpsecClient1<--- Computer1 (192.168.0.100/24) > | > | > Internet > | > v > IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to > 10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP -------> > Internet > ^ > | > Internet > | > | > IpsecClient2<--- Computer2 (192.168.0.100/24) > > > Regards, > Ansis > > _______________________________________________ > Dev mailing list > Dev@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/dev -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
