[strongSwan] Routing to local interface (E.g. tun0)

Martin Willi martin at strongswan.org
Tue Nov 26 10:28:13 CET 2013


Hi,

> but to hook into our own custom accounting system we need each user
> attached to a separate local interface (E.g. tun0...tun100).

The Linux kernel does not use any tun devices, but handles IPsec
transparently in its IP stack. You may use our userland IPsec backend
which uses tun devices, have a look at [1] for details. You won't get a
tun device for each client, though, so this is probably not what you are
looking for.

> Are there any example scripts for _updown which allow individual
> traffic to be routed via a local interface?

I don't think there is currently a way to "route" client traffic through
a dedicated interface, this is just not how strongSwan works. But on
Linux you may use Netfilter IPsec policy matching to match packets. Then
you can do whatever you want with these packets, log them or even queue
them to userland for very specific accounting.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec






More information about the Users mailing list