[strongSwan] Help with fowarding an IP packet on a VPN connection

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 15 08:55:44 CEST 2011

Why don't you configure a VPN connection with


which installs an IPsec policy in the kernel. The
first outbound packet will then trigger strongSwan to set up
the VPN connection via IKE.



to lOn 06/14/2011 10:50 PM, Lin, Clifton (US SSA) wrote:
> I am trying to write code that does the following:
> 1) Intercept an outbound IP packet (e.g. from a local application) using iptables/netfilter_queue to read the packet into user-space.
> 2) Then, configure and start a strongSwan VPN connection to the packet destination.
> 3) Then, forward that packet out this VPN connection.
> My problem is with step 3.  How I can forward the packet out this newly created connection?  I tried issuing a netfilter verdict (NF_REPEAT or NF_ACCEPT) to reinject the packet to the kernel.  However, when I do this, the packet does not get encrypted, presumably because the packet gets re-injected after the point at which the kernel would have done the IPsec encryption.  Alternatively, I tried sending a new identical IP packet using a raw socket, but again, same problem as above--the packet does not get encrypted.
> Any suggestions?
> Thanks,
> Clifton

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list