strongswan: Do not create any NAT rules when using VTI/GRE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2019-02-04 18:38:24 +00:00
parent 41f3351320
commit 8be516b3bc
2 changed files with 73 additions and 0 deletions
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch

 	cd $(DIR_APP) && ./configure \
 		--prefix="/usr" \
--- a/src/patches/strongswan-ipfire-interfaces.patch
+++ b/src/patches/strongswan-ipfire-interfaces.patch
@@ -0,0 +1,72 @@
+--- strongswan-5.7.0/src/_updown/_updown.in.bak	2019-02-06 18:19:25.723893992 +0000
+++ strongswan-5.7.0/src/_updown/_updown.in	2019-02-06 18:28:21.520560665 +0000
+@@ -130,6 +130,13 @@
+ #              address family.
+ #
+ 
+VARS=(
+	id status name lefthost type ctype psk local local_id leftsubnets
+	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+	route x23 mode interface_mode interface_address interface_mtu rest
+)
+
+ function ip_encode() {
+ 	local IFS=.
+ 
+@@ -319,6 +326,13 @@
+ 	fi
+ 	;;
+ up-client:iptables)
+	# Read IPsec configuration
+	while IFS="," read -r "${VARS[@]}"; do
+		if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+			break
+		fi
+	done < /var/ipfire/vpn/config
+
+ 	# connection to client subnet, with (left/right)firewall=yes, coming up
+ 	# This is used only by the default updown script, not by your custom
+ 	# ones, so do not mess with it; see CAUTION comment up at top.
+@@ -383,23 +397,25 @@
+ 	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ 	fi
+ 
+-	# Add source nat so also the gateway can access the other nets
+-	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-		if [ $? -eq 0 ]; then
+-			src=${_src}
+-			break
+	if [ -z "${interface_mode}" ]; then
+		# Add source nat so also the gateway can access the other nets
+		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+		for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+			ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+			if [ $? -eq 0 ]; then
+				src=${_src}
+				break
+			fi
+		done
+
+		if [ -n "${src}" ]; then
+			iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+			logger -t $TAG -p $FAC_PRIO \
+				"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+		else
+			logger -t $TAG -p $FAC_PRIO \
+				"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ 		fi
+-	done
+-
+-	if [ -n "${src}" ]; then
+-		iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-		logger -t $TAG -p $FAC_PRIO \
+-			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-	else
+-		logger -t $TAG -p $FAC_PRIO \
+-			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ 	fi
+ 
+ 	# Flush routing cache