[strongSwan] MOBIKE + VTI

Prashanth Venugopal pvenugopal at vmware.com
Fri Dec 1 21:00:16 CET 2017


Hi Tobias et.al,

I was digging deeper to see if I can make this work (get notifications when an UPDATE_SA even happens in a MOBIKE connection).

From a brief reading of the ike_mobike.c file, it looks like strongswan delete the previous child_sa and creates a new one when an UPDATE_SA notification is received. I presume this will trigger a child_SA up_down notification through the vici plugin ?

I have been trying to create a scenario which triggers an UPDATE_SA using my android phone (native VPN client, Android version 7.0) to connect to a linux GW using strongswan as the responder, but have been unsuccessful in triggering this notification from the client.

However we would like to see if we can handle this situation gracefully in our code base (which uses strongswan with VTI tunnels). So any insight into the following topics would be much appreciated

  1.  The VICI trigger when an update_SA event is received on the responder.
  2.  A way to trigger the update_SA event from the mobile client (using native vpn support in android 7.0, just so that we can test easily with PSK auth).

Thanks
prashanth

From: Users <users-bounces at lists.strongswan.org> on behalf of Prashanth Venugopal <pvenugopal at vmware.com>
Date: Thursday, November 30, 2017 at 10:44 AM
To: "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] MOBIKE + VTI

Hi,

I am wondering if we could use the “listen” API provided in vici to get notified for “UPDATE_SA_ADDRESSES” events. But I am not sure what is the exact event type to register for.

Any help would be appreciated.

Thanks
Prashanth

From: Users <users-bounces at lists.strongswan.org> on behalf of Prashanth Venugopal <pvenugopal at vmware.com>
Date: Thursday, November 30, 2017 at 1:18 AM
To: "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: [strongSwan] MOBIKE + VTI

Hi,

We have a use case where we need to support MOBIKE with VTI interfaces. S
Our Current solution involves using strongswan to provide the IKE protocol communication, but we disable route installs in Charon and add routes through our application code to point it to the appropriate VTI interfaces.

We want to do something similar for mobile clients (that use MOBIKE) but we would also like to cover the “UPDATE_SA_ADDRESSES” notification cases. In short, we would like to somehow figure out in our application (which uses the vici plugin to talk to strongswan) when an “UPDATE_SA_ADDRESSES” is received so that we can point the routes to a new/different vti interface.

I do see that strong swan does the path switching when it is taking care of routing, but is there a notification that the application could register for to catch this event and react appropriately with vti interfaces ?
Would the SA get deleted and re-created when this happens ?

Thanks
Prashanth


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/7699d27c/attachment.html>


More information about the Users mailing list