<p class="MsoNormal">Hi ,</p><br>In Strongswan’s code base
netkey.c at line 46, which loads certain IPSec modules using
‘modprobe’ command.
<p class="MsoNormal">In line 51. There is a<i> ‘modprobe –qv xfrm_tunnel’ which
actually </i>looks for xfrm4_tunnel and then loads it to kernel if the module
doesn’t exist.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">After digging deep into it in the following link</p>
<p class="MsoNormal"><a href="http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/net/ipv4/xfrm4_tunnel.c#L61">http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/net/ipv4/xfrm4_tunnel.c#L61</a>
, I realized that xfrm4_tunnel module uses IPIP protocol (shown in line 42)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The weblink below gives some information about IPIP.</p>
<p class="MsoNormal"><a href="http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels">http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels</a></p><p class="MsoNormal">
<a href="http://www.linuxfoundation.org/collaborate/workgroups/networking/tunneling#IPIP_tunnels">http://serverfault.com/questions/358708/whats-the-difference-between-gre-and-ipip-tunnel<br></a>
</p>
<p class="MsoNormal">The link say’s only one tunnel can be established between
tunnel end points.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">After a little more search, the weblink below</p>
<p class="MsoNormal"><a href="https://lists.strongswan.org/pipermail/users/2006-March/001321.html">https://lists.strongswan.org/pipermail/users/2006-March/001321.html</a></p>
<p class="MsoNormal">says.. we can establish concurrent ipsec tunnels between
endpoints provided the endpoints show up non-overlapping subnets behind the
gateway, which directly contradicted what the second weblink on IPIP says.<br></p>
<p class="MsoNormal"> </p>
My question here is if we are using xfrm4_tunnel ( which inturn uses IPIP module ), how can we establish multiple tunnels between the same endpoints. Does having a differnt sub-net modify the behaviour of IPIP tunnel. ?<br>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Comic Sans MS";color:#4f81bd">--</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Comic Sans MS";color:#4f81bd">Regards,</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Comic Sans MS";color:#4f81bd">Ravi<br></span></p>
<p class="MsoNormal"> </p>