[strongSwan] Possible to broadcast packets down each IPsec tunnel from the SeGW ?
martin at strongswan.org
Tue Nov 1 17:08:16 CET 2011
> Is it possible to send a packet to a subnet's broadcast address on the
> secure side of a SeGW and have the packet sent down each IPsec tunnel
> whose inner IP address belongs to that subnet ?
It's not trivial, but it can be done. You'll need to:
* include the broadcast address into the IPsec tunnel
* separate the tunnels with the XFRM mark functionality to avoid
conflicts in the kernel
* open a socket that listens for broadcast packets and re-inject
them for each active tunnel using the XFRM mark of each tunnel
I actually have some unreleased code that does exactly this. It does not
perform that well because it handles broadcast sniffing and re-injection
all in userspace, but it is usable. If performance is a problem, we'd
have to delegate that job to the kernel.
Another part of this plugin does the opposite, it listens for broadcasts
coming from tunnels and re-injects them to the local subnet.
The code is not usable out of the box, but let me know if you're
interested. Maybe we'll find a solution how we could make it usable in a
more generic way and include it in the mainline distribution.
More information about the Users