[strongSwan] SS5.1.0 and libipsec, configuration and usage questions

[Martin Willi]

Kimmo,

> I have not tried libipsec after september but I'm still interested at
> the feature. What kind of plans you have for the libipsec, what kinds
> of features there will be in the future?

I've implemented usage statistics, volume based rekeying and some other
minor tweaks for 5.1.1. There are currently no definite plans for
further extensions. Tweaking performance and upscaling is certainly
something that is needed for larger installations, but not sure when/if
we go for that.

> Would it be possible (in theory) to use two backends at the same, by
> defining it connection based?

Theoretically, why not. However, we currently create only one kernel
backend instance. Creating another one and selecting the correct one for
use adds another layer of complexity. We currently have no plans for
such an extension. Looks like a rather exotic requirement?

> It would be nice if I could just add networks and routes to firewall
> and that would affect to the net2net tunnels too.

So you'd basically use the net2net tunnel more as a dumb pipe, and then
dynamically manage routes to forward specific traffic?

I don't know your exact requirements, but instead of using libipsec you
may also consider using a kernel-based IPsec backend and Netfilter
marks. These marks are very powerful, and allow you to (dynamically)
create firewall rules and tag individual packets to select the
appropriate IPsec policy. Probably scales much better, and is way more
flexible in selecting packets.

Regards
Martin