[strongSwan] encryption of fragmented packets in linux
shashi_patil77 at yahoo.com
Tue Aug 27 09:37:38 CEST 2013
I got the following information from one of my colleague(and I hope it will be useful for someone in this community):
I suggest to have a quick look into the kernel-libipsec plugin (http://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec) coming along with Strongswan 5.1.0. This plugin provides a virtual interface (ipsec0) per tunnel and you can easily switch between IPsec pre- and post-fragmentation by just modifying the MTU size of the interface terminating the tunnel.
I am not sure if this is the best way to do, however we did a quick test in our lab (we had exactly the same requirement than you) and it was working quite nice. A configuration example can be found at http://www.strongswan.org/uml/testresults5rc/libipsec/net2net-cert/
>From: Shashidhar Patil <shashi_patil77 at yahoo.com>
>To: "users at lists.strongswan.org" <users at lists.strongswan.org>
>Sent: Friday, August 23, 2013 9:48 AM
>Subject: Re: [strongSwan] encryption of fragmented packets in linux
>has some one tried these scenarios ?
>expert advice on this is very much appreciated.
>>From: Shashidhar Patil <shashi_patil77 at yahoo.com>
>>To: "users at lists.strongswan.org" <users at lists.strongswan.org>
>>Sent: Thursday, August 22, 2013 10:07 AM
>>Subject: [strongSwan] encryption of fragmented packets in linux
>>Is it possible to enable encryption of fragments in Linux ?
>>I'm lookin at the following scenarios:
>> 1. the security GW (Linux PC with strongswan) receives IP fragments which needs to encrypted
>> 2. The Linux applies encryption on these fragments directly with appropriate (matching) policy (and sends them as independant ESP packets)
>> 1. Linux receives a plain packet which needs to be encrypted but the size of packet will become more than the MTU of the interface on which it needs to be transmitted, after the encryption.
>> 2. Linux should do this look-ahead calculation and fragment the IP packet and then encrypt those framgents as independant ESP packets.
>>Is it possible to achieve either of these options on Linux.
>>Are there any settings on Linux to achieve this ?
>>Users mailing list
>>Users at lists.strongswan.org
>Users mailing list
>Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users