<div>Hi Martin,</div>
<div> </div>
<div>I'm interested in this topics (broadcast packets down each IPSec tunnel) as well. However, I still have some problem about this solution. </div>
<div> </div>
<div>Below is my understanding based on Graham's example.</div>
<div> </div>
<div> our strongSwan-based SeGW defines a conn config entry in ipsec.conf where IPsec tunnels established using that config are assigned inner IP addresses from a pool (e.g. <a href="http://10.17.0.0/24">10.17.0.0/24</a>).</div>
<div> </div>
<div>Server may assign an IP (e.g. 10.17.0.1) to client A and assign another IP (e.g. 10.17.0.2) to client B. </div>
<div> </div>
<div>On Client A, it will have one outgoing xfrm policy - </div>
<div> src <a href="http://10.17.0.1/32">10.17.0.1/32</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> dir out ......</div>
<div>
<div>On Client B, it will have one outgoing xfrm policy - </div>
<div> src <a href="http://10.17.0.2/32">10.17.0.2/32</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> dir out ......</div></div>
<div> </div>
<div>Both client can send out broadcast traffic over tunnel without error since the broadcast address (10.17.0.255) is within the outgoing xfrm policy.</div>
<div> </div>
<div>On the other hand, the server side will have 2 outgoing xfrm policies -</div>
<div> src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://10.17.0.1/32">10.17.0.1/32</a> dir out ...... to Client A</div>
<div> src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://10.17.0.2/32">10.17.0.2/32</a> dir out ...... to Client B<br></div>
<div>If we create a socket on server side which listen for broadcast packet, re-inject the packet to client A and client B, the packet will be transfered into a unicast one (with destination IP changed to 10.17.0.1 and 10.17.0.2, accordingly), is that correct? </div>
<div> </div>
<div>In that case, client A and client B still received a unicast packet, not broadcast one. </div>
<div> </div>
<div>Please tell me if my understanding correct or not, and let's discuss is it possible to send out broadcast packets (with dest address 10.17.0.254) to client A and client B.</div>
<div> </div>
<div>Best regards<br>Iris Su<br></div>
<div class="gmail_quote">2011/11/2 Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>></span><br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi Graham,<br>
<div class="im"><br>> Is it possible to send a packet to a subnet's broadcast address on the<br>> secure side of a SeGW and have the packet sent down each IPsec tunnel<br>> whose inner IP address belongs to that subnet ?<br>
<br></div>It's not trivial, but it can be done. You'll need to:<br><br> * include the broadcast address into the IPsec tunnel<br> * separate the tunnels with the XFRM mark functionality to avoid<br> conflicts in the kernel<br>
* open a socket that listens for broadcast packets and re-inject<br> them for each active tunnel using the XFRM mark of each tunnel<br><br>I actually have some unreleased code that does exactly this. It does not<br>
perform that well because it handles broadcast sniffing and re-injection<br>all in userspace, but it is usable. If performance is a problem, we'd<br>have to delegate that job to the kernel.<br><br>Another part of this plugin does the opposite, it listens for broadcasts<br>
coming from tunnels and re-injects them to the local subnet.<br><br>The code is not usable out of the box, but let me know if you're<br>interested. Maybe we'll find a solution how we could make it usable in a<br>more generic way and include it in the mainline distribution.<br>
<br>Best regards<br>Martin<br><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>