[strongSwan] Where's the ipsecX eth devices?

Martin Willi martin at strongswan.org
Fri Jun 22 10:13:41 CEST 2012


Hi Ricky,

> [...] saying that ipsec devices are no more in > 2.6.16. Is that true?

Yes. The native Linux IPsec stack (Netkey) doesn't use dedicated
interfaces, but handles packet en-/decapsulation transparently in the IP
stack.

> Then does StrongSwan route packets based purely on iptable/route
> rules?

Under some circumstances, routes are required (for example, to select an
IKE-assigned IP as source address for locally generated traffic). These
routes are installed by the IKEv2 daemon in the routing table 220 (ip
route show table 220).

iptables is not directly involved, it's all handled in the XFRM
framework of the kernel. But you can apply iptables rules for specific
tunnels using XFRM marks, for an example see [1].

Regards
Martin

[1]http://www.strongswan.org/uml/testresults/ikev2/nat-two-rw-mark/index.html





More information about the Users mailing list