[strongSwan] Transparently route all packets through a IPSEC tunnel - is this possible?

Noel Kuntze noel at familie-kuntze.de
Thu Feb 11 22:08:42 CET 2016

On 11.02.2016 19:08, Michael O Holstein wrote:
> AFIK to do layer2 stuff (like DHCP) you will need to do something like GRE or L2TP (which you can then encapsulate in IPSEC).
> Regards,
> Michael Holstein
> Cleveland State University

You can use DHCP just fine over an IPsec tunnel, just not the broadcast part of the protocol, because it's probably not allowed by the negotiated
TS. And DHCP clients that write using a raw socket probably also can't be used, because raw sockets don't feed into the XFRM hooks in the kernel.

On 11.02.2016 16:58, Carsten SChlote wrote:

> Is it possible to route  packets that way with an IPSEC tunnel?
Yes, sure, if the traffic matches the negotiated SPs.

> Or do I need some kind of DHCP proxy on the local interface, so that DHCP requests could be indirectly forwarded to some host behind the IPSEC tunnel? 
See above.

>  That way the systems connected to the local interface could configure an IP and could be matched to the local side of the IPSEC tunnel. The DHCP answer would also configure a default route to some system behind the IPSEC tunnel.

IPsec is a layer 3 tunnel. Routing on Ethernet works on layer two. You can't do any special routing to a third host in any way you can in a layer two network.
Either a packet goes into the tunnel (and hence is afterwards routed by the other peer) or not.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160211/d022c3c7/attachment.pgp>

More information about the Users mailing list