[strongSwan] MOBIKE

Tobias Brunner tobias at strongswan.org
Fri Jul 29 18:07:40 CEST 2011


> iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
> iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>
> Thus no plaintext packets should leave the VPN endpoint.

That's probably the best solution for now.  The problem with the virtual 
IP approach is that the route has to be changed to the new interface, 
even when the IP is bound to a dummy interface.  And there we currently 
have the same delete/add race condition we had with the policies.

Regards,
Tobias





More information about the Users mailing list