[strongSwan] Nested IPsec Tunnels
Martin Willi
martin at strongswan.org
Tue Mar 3 10:25:20 CET 2015
Hi Ryan,
> I have an application scenario where I need to test Nested IPsec Tunnels.
> I googled and came up with some old threads talking about how this isn't
> supported with strongSwan unless I use two boxes, or a VM to route the
> traffic through again. Is this still the case?
Yes, this is still the case. To manage its own tunnels, IKE traffic must
be exempted from the negotiated tunnel. strongSwan does this globally
using IPsec bypass policies. This implies that IKE never goes over any
negotiated tunnel, and prevents nested tunnels.
So unless you want to change that IPsec bypass policy behavior, running
one instance in a VM is probably the best option. Maybe even running two
strongSwan instances in their own network namespace works, but I've
never tried that.
Regards
Martin
More information about the Users
mailing list