[strongSwan] Routing to local interface (E.g. tun0)
Harry Stark
stark.harry at yahoo.co.uk
Tue Nov 26 10:42:09 CET 2013
Thanks for the info... will look at Kernel-libipsec but not sure it does what we need.
When I mentioned routing traffic through a local interface my thinking was something like:
VPN client--->strongswan VPN Server--->route to tun0 instead of the eth0 device
Not sure if that is possible or would work though.
________________________________
From: Martin Willi <martin at strongswan.org>
To: Harry Stark <stark.harry at yahoo.co.uk>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Tuesday, 26 November 2013, 9:28
Subject: Re: [strongSwan] Routing to local interface (E.g. tun0)
Hi,
> but to hook into our own custom accounting system we need each user
> attached to a separate local interface (E.g. tun0...tun100).
The Linux kernel does not use any tun devices, but handles IPsec
transparently in its IP stack. You may use our userland IPsec backend
which uses tun devices, have a look at [1] for details. You won't get a
tun device for each client, though, so this is probably not what you are
looking for.
> Are there any example scripts for _updown which allow individual
> traffic to be routed via a local interface?
I don't think there is currently a way to "route" client traffic through
a dedicated interface, this is just not how strongSwan works. But on
Linux you may use Netfilter IPsec policy matching to match packets. Then
you can do whatever you want with these packets, log them or even queue
them to userland for very specific accounting.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131126/ed59adf2/attachment.html>
More information about the Users
mailing list