[strongSwan] Adding IP Options in Tunnel Mode's New Header !!!

Kesava Srinivas keshavsrinu at gmail.com
Mon Aug 27 13:14:35 CEST 2012

Thanks Richard for the response.

Yeah. I agree that we can Pickup the Packet in POST_ROUTING hook after
encryption was done and can add IP Options by expanding the Socket Buffer's
Data Space. But let us say; if this results in Fragmentation, IPSEC packet
need to suffer. Hence, thought of doing it along with encryption. So, was
that only possible by manipulating code in the file  *xfrm4_mode_tunnel.c* ??
This is the file that I came across while digging the things. Please let me
know if thats not the one !!!


On Mon, Aug 27, 2012 at 4:14 AM, Richard Andrews <
richard.andrews at symstream.com> wrote:

> IIRC firewall marks are preserved though kernel encryption xfrm. That
> is, adding a fwmark to a packet about to be encrypted creates an
> encrypted packet with the same mark. Maybe this could be used with some
> iptables magic to do what you desire.
> On Fri, 2012-08-24 at 20:29 +0530, Kesava Srinivas wrote:
> > Guys,
> > Need some help in understanding how to add Options to the Outer IP
> > Header (new) while operating Strong-swan in Tunnel Mode.
> >
> > Not sure whether Stong-swan is providing the Flexibility to configure
> > IP Header Options which are to be added in New Header of Tunnel Mode!!
> > After some Research; it seems to be xfrm4_mode_tunnel.c is adding the
> > New Header & thought of changing the code in kernel itself to add the
> > options.
> >
> > Please let me know ; what's the right way of adding IP Header
> > options ??
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120827/9992e855/attachment.html>

More information about the Users mailing list