diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-07-27 21:16:44 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-07-27 21:16:44 +0200 |
| commit | ff7b0dd28908c40571d5e4c1a288810e94058c37 (patch) | |
| tree | 209cb461cba52ab4189c3348a98b90a429312a37 /testing | |
| parent | c100dd6b5f83ccff89684b534322bd213923022a (diff) | |
| download | strongswan-ff7b0dd28908c40571d5e4c1a288810e94058c37.tar.bz2 strongswan-ff7b0dd28908c40571d5e4c1a288810e94058c37.tar.xz | |
added NETMAP rules for the reverse direction
Diffstat (limited to 'testing')
3 files changed, 11 insertions, 4 deletions
diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2/net2net-same-nets/description.txt index 556016188..d0eb3374f 100644 --- a/testing/tests/ikev2/net2net-same-nets/description.txt +++ b/testing/tests/ikev2/net2net-same-nets/description.txt @@ -12,4 +12,4 @@ connection definition of <b>ipsec.conf</b> both on the inbound and outbound traf the necessary NETMAP operations and forward the tunneled traffic. <p/> In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> -pings client <b>bob</b> located behind gateway <b>sun</b>. +pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa. diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat index aaf096de3..bf99bb278 100644 --- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat +++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat @@ -1,7 +1,10 @@ moon::ipsec statusall::net-net.*ESTABLISHED::YES sun::ipsec statusall::net-net.*ESTABLISHED::YES alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES +bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown index 599389643..d7b68956c 100755 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -147,8 +147,8 @@ custom:*) # custom parameters (see above CAUTION comment) esac # define NETMAP -SAME_NET="10.0.0.0/14" -IN_NET="10.4.0.0/14" +SAME_NET=$PLUTO_PEER_CLIENT +IN_NET=$PLUTO_MY_CLIENT OUT_NET="10.8.0.0/14" # define internal interface @@ -193,7 +193,11 @@ up-client:) if [ -n "$PLUTO_MARK_OUT" ] then iptables -t mangle -A PREROUTING $SET_MARK_OUT + iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -d $OUT_NET -j NETMAP --to $SAME_NET iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET fi ;; down-client:) |