[strongSwan] Help with fowarding an IP packet on a VPN connection
andreas.steffen at strongswan.org
Wed Jun 15 08:55:44 CEST 2011
Why don't you configure a VPN connection with
which installs an IPsec policy in the kernel. The
first outbound packet will then trigger strongSwan to set up
the VPN connection via IKE.
to lOn 06/14/2011 10:50 PM, Lin, Clifton (US SSA) wrote:
> I am trying to write code that does the following:
> 1) Intercept an outbound IP packet (e.g. from a local application) using iptables/netfilter_queue to read the packet into user-space.
> 2) Then, configure and start a strongSwan VPN connection to the packet destination.
> 3) Then, forward that packet out this VPN connection.
> My problem is with step 3. How I can forward the packet out this newly created connection? I tried issuing a netfilter verdict (NF_REPEAT or NF_ACCEPT) to reinject the packet to the kernel. However, when I do this, the packet does not get encrypted, presumably because the packet gets re-injected after the point at which the kernel would have done the IPsec encryption. Alternatively, I tried sending a new identical IP packet using a raw socket, but again, same problem as above--the packet does not get encrypted.
> Any suggestions?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users