the necessary NETMAP operations and forward the tunneled traffic.
<p/>
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
moon::ipsec statusall::net-net.*ESTABLISHED::YES
sun::ipsec statusall::net-net.*ESTABLISHED::YES
alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES
esac
# define NETMAP
-SAME_NET="10.0.0.0/14"
-IN_NET="10.4.0.0/14"
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
OUT_NET="10.8.0.0/14"
# define internal interface
if [ -n "$PLUTO_MARK_OUT" ]
then
iptables -t mangle -A PREROUTING $SET_MARK_OUT
+ iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+ -d $OUT_NET -j NETMAP --to $SAME_NET
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+ iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+ -s $SAME_NET -j NETMAP --to $IN_NET
fi
;;
down-client:)
projects / thirdparty / strongswan.git / commitdiff
