[strongSwan-dev] Dynamic Multipoint VPN (opennhrp) with strongswan

Timo Teras timo.teras at iki.fi
Wed Nov 20 15:25:05 CET 2013

Hi everyone,

As brief background, I am the author of opennhrp [1] which can be used
to implement Cisco Dynamic Multipoint VPN (DMVPN) style networks on
Linux [2] along with GRE tunnels and IPsec. I have previously enhanced
ipsec-tools (racoon) [3] to be suitable for this use.

Now that strongswan seems mature, and the old free/openswan cruft is
gone. I am now looking into integrating opennhrp with strongswan as

While there's few "unusual" coding convention, I have fairly good idea
how things work, and what needs to be done.

As general idea, I would like to have single "conn dmvpn" entry that
specifies transport mode tunnel with wildcard traffic selectors. The
idea is to install to kernel a wildcard transport mode selector "src dst proto gre grekey <tunnelid>", and instantiate
multiple tunnels to different endpoints on demand (either via acquire,
or opennhrp using 'ipsec stroke', or via plugin). This is how the
current setups with ipsec-tools work like.

Basically the modification list would be:

1) Allow wildcard transport mode "traps" to be installed to kernel to
   get acquires. (I already have semi-working patch for this.)

2) Properly handle wildcard transport mode. Handle acquires by
   instantiating new IKE_SA where needed. this might need new code in
   the IKE_SA  manager. Also when acting as responder, there would be
   no need to install additional per-tunnel policy as the one get-all
   policy matches all packets. Only the ESP SPI needs to be per-tunnel.

3) Supporting GRE KEY in SPD traffic selectors. This might be tricky
   because GRE KEY is 32-bit tunnel identifier, and it is split to be
   in the TS source port, and destination port - similarly to how ICMP
   message type/code is split [4]. Would be nice to have config syntax
   like: leftproto = gre/1234 # 1234 being the 32-bit gre key

4) Extend 'ipsec stroke' (or some other means) for opennhrp to initiate
   and terminate tunnels. It knows the logical connection name, source
   IP and destination IP. Se basically I need as minimum:
    ipsec stroke up DMVPN-profile --local <srcip> --remote <dstip>
    ipsec stroke down DMVPN-profile --local <srcip> --remote <dstip>

   I would also need a way to extract the authentication information
   (remote identity, and x509 certificate used in authenticated) having
   the same information. Something like:
    ipsec stroke get-cert DMVPN-profile --local <srcip> --remote <dstip>
    (and it'd dump the cert in DER/PEM/whatever)

   As side note currently opennhrp is integrated with ipsec-tools with
   a script that calls 'racoonctl' with equivalent commands. So if the
   above stroke commands are done, it's just changing three lines in my
   integration script.

5) I should also get a hook that is executed when all IKE_SAs are
   deleted (but before new ones are established - e.g. due to
   lifetime end, DPD or INITIAL-CONTACT). I believe the updown script
   hook is usable as-is, but would need to just verify this.

I'm willing to write the code, but would appreciate comments on what
the architecture should be like. Even better if you can help with the
code too.


[1] http://sourceforge.net/projects/opennhrp/
[2] http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_%28DMVPN%29
[3] http://ipsec-tools.sourceforge.net/
[4] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cc9ff19da9bf76a2f70bcb80225a1c587c162e52

More information about the Dev mailing list