Andreas, Thank you, that was exactly what I have been looking for! But still one thing - can I somehow tell StrongSwan and XFRM so that XFRM puts that mark for me automatically without using iptables command from the updown script?
Anyway that is not a big problem, but I am wondering if this by any chance could have been already implemented in StrongSwan+NETKEY? Because for inbound ESP traffic the packet does not need to be marked beforehand just to decapsulate it, right? Regards, Ansis On Mon, Mar 14, 2011 at 9:49 PM, Andreas Steffen <andreas.stef...@strongswan.org> wrote: > Hello Ansis, > > have you had a look at the following scenario > > http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/ > > which uses XFRM marks to map identical remote networks to > different ones? > > Regards > > Andreas > > On 03/15/2011 01:45 AM, Ansis Atteka wrote: >> Hello, >> >> Here is a problem I am trying to solve: We have multiple IPsec clients >> that connect to the same IPsec server. This IPsec Server acts as a >> "gateway" to the Internet for all computers that are behind those >> IPsec clients (see diagram below). The problem is that subnets between >> these IPsec clients might overlap and we do not have control over >> them, hence we would like to implement a kernel driver that translates >> IP addresses from (private_ip, SPI) -----> unique_ip (and also to the >> other direction) on the IPsec server. But to be able to implement this >> IP translator as a kernel driver we must be able to get/put extra >> context (probably, Security Parameter Index) from/to XFRM framework. >> >> Within OpenSwan+KLIPS the feature that allows to accomplish this is >> called "SAref tracking". I am wondering if there is something similar >> implemented for StrongSwan+NETKEY combination? So far I have looked >> into XFRM framework and It seems that it would need a couple of >> changes there. I am wondering if this could have already been or is >> going to be implemented by some other means in StrongSwan and NETKEY? >> >> Also there are some performance considerations why we would like to >> rather use StrongSwan (Charon) + NETKEY instead of OpenSwan (Pluto) + >> KLIPS. >> >> >> Here is a sample Networking diagram: >> >> IpsecClient1<--- Computer1 (192.168.0.100/24) >> | >> | >> Internet >> | >> v >> IpsecServer (translate Computer1 IP to 10.0.0.1/8 and Computer2 IP to >> 10.0.0.2/8) ------NAT 10.0.0.0/8 subnet to a public IP -------> >> Internet >> ^ >> | >> Internet >> | >> | >> IpsecClient2<--- Computer2 (192.168.0.100/24) >> >> >> Regards, >> Ansis >> >> _______________________________________________ >> Dev mailing list >> Dev@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/dev > > > -- > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
