<div dir="ltr"><div dir="ltr">Hi,<br><br>I have done this before, it works fine.<div><br></div><div>Just make sure you add a corresponding mark to both the definition of the ipsec0 interface and the Strongswan config for <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><br></div><div>XFRM looks for the most specific traffic selector when finding a match, it will check against route-based selector first and then will check <a href="http://0.0.0.0/0">0.0.0.0/0</a> at last.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 20, 2019 at 12:57 PM Michael Schwartzkopff <<a href="mailto:ms@sys4.de">ms@sys4.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 20.12.19 17:42, Marco Berizzi wrote:<br>
> Hello everyone,<br>
><br>
> I need to setup a <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> to <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ipsec tunnel.<br>
> I was thinking to setup it with the new xfrm interfaces:<br>
> I don't need route all the <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> throught this vpn.<br>
><br>
> My question is how 'route based' and 'policies based'<br>
> VPNs will coexist on the same linux box.<br>
><br>
> For example, if I'm going to implement a <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> to<br>
> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> vpn with the xfrm interfaces and then I will<br>
> route the traffic only for the <a href="http://155.192.168.0/24" rel="noreferrer" target="_blank">155.192.168.0/24</a> network<br>
> throught the ipsec0 device (for example), and then I<br>
> implement a classic policy based vpn (without the xfrm<br>
> interface) with the following traffic selectors<br>
> <a href="http://166.172.16.0/24" rel="noreferrer" target="_blank">166.172.16.0/24</a> and <a href="http://177.16.172.0/24" rel="noreferrer" target="_blank">177.16.172.0/24</a>, what will happen?<br>
> Will the linux kernel process the packets for the<br>
> <a href="http://166.172.16.0/24" rel="noreferrer" target="_blank">166.172.16.0/24</a> and <a href="http://177.16.172.0/24" rel="noreferrer" target="_blank">177.16.172.0/24</a> into the right ipsec<br>
> policy?<br>
><br>
> Thanks<br>
><br>
> Marco<br>
<br>
I think mixing policy and route based VPNs on the same machine with<br>
overlapping network ranges will cause trouble. I'd change to only<br>
route-based VPNs in that case.<br>
<br>
<br>
Mit freundlichen Grüßen,<br>
<br>
-- <br>
<br>
[*] sys4 AG<br>
<br>
<a href="https://sys4.de" rel="noreferrer" target="_blank">https://sys4.de</a>, +49 (89) 30 90 46 64<br>
Schleißheimer Straße 26/MG,80333 München<br>
<br>
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263<br>
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief<br>
Aufsichtsratsvorsitzender: Florian Kirstein<br>
<br>
<br>
</blockquote></div></div>