[strongSwan-dev] Binding interfaces to IPsec

Patricia de Noriega pnoriega at it.uc3m.es
Thu May 5 15:37:23 CEST 2011 

Thanks Martin.

I can't block that interface since it is the one that I use to convey
control messages. I wanted to decouple it to prevent send
N(ADDITIONAL_IP_ADDRESSES) containing that useless interface.

On the other hand, I've noticed that duplicate messages are sent when
updating secondary addresses (some interface is activated):

May  5 14:49:30 05[KNL] *interface eth1 activated*
May  5 14:49:31 10[IKE] sending address list update using MOBIKE
May  5 14:49:31 10[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
May  5 14:49:31 10[NET] sending packet: from 192.168.200.20[4500] to
192.168.100.10[4500]
May  5 14:49:31 13[NET] received packet: from 192.168.100.10[4500] to
192.168.200.20[4500]
May  5 14:49:31 13[ENC] parsed INFORMATIONAL response 2 [ ]
May  5 14:49:32 05[KNL] *fe80::fcfd:ff:fe00:301 appeared on eth1*
May  5 14:49:32 14[IKE] sending address list update using MOBIKE
May  5 14:49:32 14[ENC] generating INFORMATIONAL request 3 [ N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
May  5 14:49:32 14[NET] sending packet: from 192.168.200.20[4500] to
192.168.100.10[4500]
May  5 14:49:32 08[NET] received packet: from 192.168.100.10[4500] to
192.168.200.20[4500]
May  5 14:49:32 08[ENC] parsed INFORMATIONAL response 3 [ ]


I'm using *ifconfig ethX down* to disable interfaces and *ifup --force
ethX*to activated since if I activate them with ifconfig up the
routing table is
removed. My scenario is composed by an initiator (roadwarrior) and responder
connected by other host that acts as a router.

Best Regards

On 5 May 2011 14:47, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > I'm using StrongSWAN and I'd need to bind some interfaces to IPsec and
> > not all of them. Is there any option to obtain this behavior?
>
> No, binding to specific interfaces is currently not supported. Linux
> handles ESP traffic independent from interfaces. For IKE, the daemon
> currently binds on all interfaces. You could use firewalling to
> block/allow IKE/ESP traffic on selected interfaces.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110505/99b9aa10/attachment.html>

More information about the Dev mailing list