[strongSwan] planned support for RFC6407 GDOI - GETVPN
martin at strongswan.org
Fri Jan 17 11:17:39 CET 2014
> ● Instantaneous large-scale any-to-any IP connectivity using a group
> IPsec security paradigm - seems to be RFC6407 GDOI
I think GDOI is particularly interesting for securing multicast traffic.
While it might be usable for plain any-to-any connections, you probably
can achieve the same with a full mesh of IPsec tunnels.
GDOI is IKEv1 though, and we'd prefer to focus on IKEv2.
> Is there anything out there to be able to mesh around 800 sites
> together over vpn tunnel without having to configure a vpn tunnel from
> each site to each other?
There is OpenNHRP , but I've no experience with that. It uses a
dedicated routing protocol on top of a secured GRE tunnel, so not
exactly what you are looking for.
With strongSwan, there is currently no out-of-the-box solution. Creating
dynamic connections is certainly doable using a custom configuration
backend. Depends on what you'd actually want to achieve.
In the long term, we'll focusing on the IETF ipsecme "large scale VPN"
work.  is based on NHRP, while  does routing based on IPsec
policies. We favor , but there are no plans yet for implementing it.
More information about the Users