Running strongswan in Linux net namespace.

README.md

Version:

• strongswan-5.7.1-1.el7.x86_64

netns.sh

#!/bin/bash

set -e

NSNAME=${1:-test1}
IFNAME1=veth100
IFNAME2=veth111
INNER_ADDR=172.16.50.50
OUTER_ADDR=172.16.50.1
NETMASK=255.255.255.0

teardown(){
  ip netns del $NSNAME || :
  ip link del dev $IFNAME1 || :
  ip link del dev $IFNAME2 || :
}
trap 'teardown' EXIT

ip netns add $NSNAME
ip netns exec $NSNAME ip link list
ip link add $IFNAME1 type veth peer name $IFNAME2
ip link set $IFNAME1 netns $NSNAME
ip netns exec $NSNAME ip addr add ${INNER_ADDR}/${NETMASK} dev $IFNAME1
ip netns exec $NSNAME ip link set dev $IFNAME1 up
ip netns exec $NSNAME ip route add default dev $IFNAME1 via $OUTER_ADDR
ip addr add ${OUTER_ADDR}/${NETMASK} dev $IFNAME2
ip link set dev $IFNAME2 up

# unshare -m must be issued after ip netns because netns modifies /var/run/netns/* on the root namespace.
ip netns exec $NSNAME unshare -m /bin/bash -e <<SCRIPT
# bind mount for strongswan conf and unix socket dir.
mount --bind ./run /var/run
mount --bind ./etc /etc/strongswan
/usr/sbin/strongswan start --nofork
SCRIPT