[strongSwan] Coexistence of route-based and policy-based VPN

Sandesh Sawant sandesh.sawant at gmail.com
Tue Apr 4 03:12:40 CEST 2017


I am familiar with configuring policy-based VPN using strongSwan, and I
have recently set up route-based VPN using strongSwan. I am wondering
whether one can simultaneously setup and use route-based and policy-based
connections in the same gateway. Can someone confirm the same?
As per my understanding policy-based VPN requires strongSwan to install
routes in table 220. Whereas in route-based VPN route installation by
Charon must be disabled. Therefore for both types of connections to
co-exist, I guess there needs to be a way to configure whether route
installation is done or not on a per-connection basis in ipsec.conf instead
of having a global configuration in charon.conf.
Also, I am wondering why one has to disable XFRM & Policy on the uplink
(local endpoint) interface in case of route-based VPN. Is is because we
don't want ESP packets going from VTI to uplink interface in the egress
path to be subject to IPSec processing again? I doubt i that is the reason
because my understanding is that it is the "mark" which dictates if IPSec
processing is applicable to an interface or not. IMO even though the local
& remote selectors used in route-based connection are, IPSec
processing will be skipped at the uplink since there is no match w.r.t. SA
mark. Can someone please explain the significance of the requirement for
disabling XFRM & policy on uplink interface?
If anyone has already succeeded using route-based & policy-based VPN
together in the same box using strongSwan, I'd appreciate if they can share
the configs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170403/0f354a56/attachment.html>

More information about the Users mailing list