[strongSwan] Possible to broadcast packets down each IPsec tunnel from the SeGW ?

Martin Willi martin at strongswan.org
Tue Nov 1 17:08:16 CET 2011

Hi Graham,

> Is it possible to send a packet to a subnet's broadcast address on the
> secure side of a SeGW and have the packet sent down each IPsec tunnel
> whose inner IP address belongs to that subnet ?

It's not trivial, but it can be done. You'll need to:

      * include the broadcast address into the IPsec tunnel
      * separate the tunnels with the XFRM mark functionality to avoid
        conflicts in the kernel
      * open a socket that listens for broadcast packets and re-inject
        them for each active tunnel using the XFRM mark of each tunnel

I actually have some unreleased code that does exactly this. It does not
perform that well because it handles broadcast sniffing and re-injection
all in userspace, but it is usable. If performance is a problem, we'd
have to delegate that job to the kernel.

Another part of this plugin does the opposite, it listens for broadcasts
coming from tunnels and re-injects them to the local subnet.

The code is not usable out of the box, but let me know if you're
interested. Maybe we'll find a solution how we could make it usable in a
more generic way and include it in the mainline distribution.

Best regards

More information about the Users mailing list