<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Tom,<div class=""><br class=""></div><div class="">please, see below<br class=""><div class="">
<div><br class="">-- <br class="">Volodymyr Litovka<br class="">  "Vision without Execution is Hallucination." -- Thomas Edison</div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 13 Aug 2020, at 18:22, Tom Cannaerts <<a href="mailto:mot@tom.be" class="">mot@tom.be</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">I'm trying to setup route-based tunnel using an xfrm interface, but it's not clear to me on how to link the policy to the interface?<div class=""><br class=""></div><div class="">This is my ipsec.conf of router1 (currently lab based setup) </div><div class=""><br class=""></div><div class="">conn router2<br class="">    fragmentation=yes<br class="">    dpdaction=restart<br class="">    ike=aes256-sha256-modp2048<br class="">    esp=aes256-sha256-modp2048<br class="">    keyingtries=%forever<br class="">    leftid=192.168.100.101<br class="">    leftauth=secret<br class="">    rightauth=secret<br class="">    leftsubnet=<a href="http://192.168.101.0/24" class="">192.168.101.0/24</a><br class="">    keyexchange=ikev2<br class="">    right=192.168.100.102<br class="">    rightsubnet=<a href="http://192.168.102.0/24" class="">192.168.102.0/24</a><br class="">    auto=start<br class=""></div></div></div></blockquote><div><br class=""></div><div>Since I’m using swanctl.conf, I don’t know, how it maps to old config, but there is no if_id_in/if_id_out parameters, which will connect it with xfrm interface. In my case it looks as shown below:</div><div><br class=""></div><div>connections {<br class="">        conn1 {<br class="">                children {<br class="">                        conn1-child {<br class="">                                if_id_in = 9<br class="">                                if_id_out = 9<br class="">                        }<br class="">                }<br class="">        }<br class="">}<br class=""><br class=""></div><blockquote type="cite" class=""><div dir="ltr" class=""><div class="">This is how I'm creating the interface using iproute2</div><div class=""><br class=""></div><div class="">ip link add ipsec2 type xfrm dev eth0 if_id 0xff02<br class="">sysctl -w net.ipv4.conf.ipsec2.disable_policy=1<br class="">ip link set ipsec2 up<br class="">ip route add <a href="http://192.168.102.0/24" class="">192.168.102.0/24</a> dev ipsec2 metric 10<br class=""></div></div></blockquote><div><br class=""></div>I assign ip address directly to xfrm interface</div><div><br class=""></div><div>ip link add xfrm0 type xfrm dev lo if_id 9</div><div>ip link set xfrm0 up</div><div>ip link address add x.x.x.x/24 dev xfrm0</div><div><br class=""></div>And don’t forget to unload kernel-libipsec to avoid running in userland.</div><div class=""><br class=""></div><div class="">Hope this’ll help.</div><div class=""><br class=""></div></body></html>