Hello,

I have been attempting to use the updown script to work. I have an issue
where remote offices often have the same subnet. I have not control over
the networks in the remote offices. The firewalls often don't support NAT
in VPN configs. If they do the techs don't have the skills to configure it.

So I am trying to figure out how to use Strongswan to allow me to establish
tunnels for overlapping subnets. The tested scenarios that most closely
represent what I am trying to accomplish are as follows.


https://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html
https://www.strongswan.org/uml/testresults/ikev2/net2net-
same-nets/index.html


I have successfully created tunnels from two test sites to my strongswan
vpn server. As soon as I introduce leftupdown="/etc/mark_updown" and
marks=10 (marks=20 for the other site) I can no long ping my target subnet.

The daemon log show the traffic getting marked, but my iptables never get
updated.

I am using Ubuntu 16.04. I have also tried 17.04. I have used the packaged
versions of Strongswan with each distro. I have exhausted my abilities at
this point.

A tcpdump on the interface that has the route for the local subnet shows
that traffic once marked never leaves Kernel space.

So basically no iptables are created and the packets no longer get to the
interface hosting the route for the local subnet. All of this works without
the mark_updown script and the marks in the ipsec.conf.

Just to make sure I got the config working with just NAT, but I need the
marking because of the overlapping subnets.

Does anyone have a working example of a simliar config? Or what are some
possible reasons for the mark_updown not updating iptables or the packets
not finding being forwarded to the interface hosting the route of the left
subnet?

Any help is much appreciated.

Thanks,
Sean

Reply via email to