<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Thanks for the info... will look at Kernel-libipsec but not sure it does what we need.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;">When I mentioned routing traffic through a local interface my thinking was something like:</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif;
background-color: transparent; font-style: normal;">VPN client--->strongswan VPN Server--->route to tun0 instead of the eth0 device</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal;">Not sure if that is possible or would work though.</div><div><br></div> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Harry Stark
<stark.harry@yahoo.co.uk> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, 26 November 2013, 9:28<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Routing to local interface (E.g. tun0)<br> </font> </div> <div class="y_msg_container"><br>Hi,<br><br>> but to hook into our own custom accounting system we need each user<br>> attached to a separate local interface (E.g. tun0...tun100).<br><br>The Linux kernel does not use any tun devices, but handles IPsec<br>transparently in its IP stack. You may use our userland IPsec backend<br>which uses tun devices, have a look at [1] for details. You won't get a<br>tun device for each client, though, so this is probably not what you are<br>looking for.<br><br>> Are there any example scripts for _updown which allow individual<br>> traffic
to be routed via a local interface?<br><br>I don't think there is currently a way to "route" client traffic through<br>a dedicated interface, this is just not how strongSwan works. But on<br>Linux you may use Netfilter IPsec policy matching to match packets. Then<br>you can do whatever you want with these packets, log them or even queue<br>them to userland for very specific accounting.<br><br>Regards<br>Martin<br><br>[1]<a href="http://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec</a><br><br><br><br><br></div> </div> </div> </div></body></html>