[strongSwan] Coexistence of route-based and policy-based VPN

[Sandesh Sawant]

Hi,

I am familiar with configuring policy-based VPN using strongSwan, and I
have recently set up route-based VPN using strongSwan. I am wondering
whether one can simultaneously setup and use route-based and policy-based
connections in the same gateway. Can someone confirm the same?
As per my understanding policy-based VPN requires strongSwan to install
routes in table 220. Whereas in route-based VPN route installation by
Charon must be disabled. Therefore for both types of connections to
co-exist, I guess there needs to be a way to configure whether route
installation is done or not on a per-connection basis in ipsec.conf instead
of having a global configuration in charon.conf.
Also, I am wondering why one has to disable XFRM & Policy on the uplink
(local endpoint) interface in case of route-based VPN. Is is because we
don't want ESP packets going from VTI to uplink interface in the egress
path to be subject to IPSec processing again? I doubt i that is the reason
because my understanding is that it is the "mark" which dictates if IPSec
processing is applicable to an interface or not. IMO even though the local
& remote selectors used in route-based connection are 0.0.0.0/0, IPSec
processing will be skipped at the uplink since there is no match w.r.t. SA
mark. Can someone please explain the significance of the requirement for
disabling XFRM & policy on uplink interface?
If anyone has already succeeded using route-based & policy-based VPN
together in the same box using strongSwan, I'd appreciate if they can share
the configs.

Thanks,
Sandesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170403/0f354a56/attachment.html>