[strongSwan] planned support for RFC6407 GDOI - GETVPN

Martin Willi martin at strongswan.org
Fri Jan 17 11:17:39 CET 2014


Hi Stefan,

> ● Instantaneous large-scale any-to-any IP connectivity using a group
> IPsec security paradigm - seems to be RFC6407 GDOI

I think GDOI is particularly interesting for securing multicast traffic.
While it might be usable for plain any-to-any connections, you probably
can achieve the same with a full mesh of IPsec tunnels.

GDOI is IKEv1 though, and we'd prefer to focus on IKEv2.

> Is there anything out there to be able to mesh around 800 sites
> together over vpn tunnel without having to configure a vpn tunnel from
> each site to each other?

There is OpenNHRP [1], but I've no experience with that. It uses a
dedicated routing protocol on top of a secured GRE tunnel, so not
exactly what you are looking for.

With strongSwan, there is currently no out-of-the-box solution. Creating
dynamic connections is certainly doable using a custom configuration
backend. Depends on what you'd actually want to achieve.

In the long term, we'll focusing on the IETF ipsecme "large scale VPN"
work. [2] is based on NHRP, while [3] does routing based on IPsec
policies. We favor [3], but there are no plans yet for implementing it.

Regards
Martin

[1]http://sourceforge.net/projects/opennhrp/
[2]http://tools.ietf.org/html/draft-detienne-dmvpn-01
[3]http://tools.ietf.org/html/draft-sathyanarayan-ipsecme-advpn-03





More information about the Users mailing list