GRE Key as Policy Selector #314
-
Hi all. I have a setup where I would like to have multiple peers behind the same NAT communicate with a cloud node. This means that from the cloud node's perspective, the nodes behind the NAT will have the same local/remote pair. I would like to use a route-based VPN to connect as well. VTI does not seem to be a viable option because netlink rejects two VTI interfaces with the same local/remote pair, even if they have different marks. XFRM is also not an option for other reasons not worth going into here. My next thought is to use GRE. After some initial testing, I found that you can create two GRE interfaces with the same local/remote pair so long as the keys are distinct. However, given that both interfaces have the same local/remote pair, my policy will need to use the key to identify the appropriate security association for packets routed through each interface. Ideally, I can use strongswan to configure the UPSPEC field with the appropriate GRE key, as specified here. However, so far I don't see a good way to do that in the documentation. My backup plan is to just create an iptables rule to mark packets that go through each interface with the corresponding GRE key and use mark_in/mark_out on the SA. Is that my best option, or is there a better way to do this in strongswan? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
remote_ts and local_ts = %dynamic[gre/x] |
Beta Was this translation helpful? Give feedback.
-
Ah, you can use the '/x' as the GRE rather than the port? |
Beta Was this translation helpful? Give feedback.
remote_ts and local_ts = %dynamic[gre/x]