sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-08 00:02:03 -04:00
Code Issues Projects Releases Wiki Activity

added NETMAP rules for the reverse direction

Browse Source
This commit is contained in:
Andreas Steffen 2010-07-27 21:16:44 +02:00
parent c100dd6b5f
commit ff7b0dd289
3 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
testing/tests/ikev2/net2net-same-nets/description.txt
View File

@ -12,4 +12,4 @@ connection definition of <b>ipsec.conf</b> both on the inbound and outbound traf
the necessary NETMAP operations and forward the tunneled traffic. the necessary NETMAP operations and forward the tunneled traffic.
<p/> <p/>
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>. pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.

3
testing/tests/ikev2/net2net-same-nets/evaltest.dat
View File

@ -1,7 +1,10 @@
moon::ipsec statusall::net-net.*ESTABLISHED::YES moon::ipsec statusall::net-net.*ESTABLISHED::YES
sun::ipsec statusall::net-net.*ESTABLISHED::YES sun::ipsec statusall::net-net.*ESTABLISHED::YES
alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES

8
testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
View File

@ -147,8 +147,8 @@ custom:*) # custom parameters (see above CAUTION comment)
esac esac
# define NETMAP # define NETMAP
SAME_NET="10.0.0.0/14" SAME_NET=$PLUTO_PEER_CLIENT
IN_NET="10.4.0.0/14" IN_NET=$PLUTO_MY_CLIENT
OUT_NET="10.8.0.0/14" OUT_NET="10.8.0.0/14"
# define internal interface # define internal interface
@ -193,7 +193,11 @@ up-client:)
if [ -n "$PLUTO_MARK_OUT" ] if [ -n "$PLUTO_MARK_OUT" ]
then then
iptables -t mangle -A PREROUTING $SET_MARK_OUT iptables -t mangle -A PREROUTING $SET_MARK_OUT
iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-d $OUT_NET -j NETMAP --to $SAME_NET
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-s $SAME_NET -j NETMAP --to $IN_NET
fi fi
;; ;;
down-client:) down-client:)