mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-05 00:00:45 -04:00
9ed09d5f77
In this test two hosts establish a transport mode connection from behind moon. sun uses the connmark plugin to distinguish the flows. This is an example that shows how one can terminate L2TP/IPsec connections from two hosts behind the same NAT. For simplification of the test, we use an SSH connection instead, but this works for any connection initiated flow that conntrack can track.
9 lines
604 B
Plaintext
9 lines
604 B
Plaintext
An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
|
|
and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
|
|
the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
|
|
connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
|
|
the CHILD_SAs to select the correct return path SA using connection tracking.
|
|
This allows <b>sun</b> to talk to both nodes for client initiated flows, even
|
|
if the SAs are actually both over <b>moon</b>.<br/>
|
|
To test the connection, both hosts establish an SSH connection to <b>sun</b>.
|