[strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
flyingrhino
flyingrhino at orcon.net.nz
Wed Apr 11 23:28:09 CEST 2018
On 2018-04-12 05:52, Noel Kuntze wrote:
Thanks Noel, that was the direction I needed !
Your dhcp relay suggestion is a good one too.
Back to the engineering lab for me :)
Best regards.
> Hello,
>
> IPsec is a layer 3 tunneling protocol. The solution to your problem is
> to wrap a layer two tunneling protocol inside IPsec. On Linux, that
> could be a gretap tunnel, geneve, or other. There are many to choose.
> Check the man page of `ip tunnel` or the corresponding help message.
>
> Kind regards
>
> Noel
>
> On 11.04.2018 05:04, flyingrhino wrote:
>> Hi,
>>
>> I am trying to connect a servers-network to several remote
>> clients-networks using ipsec/strongswan.
>> Normally I could do that easily at Layer 3 on my own without troubling
>> the forum.
>>
>> However, I need to pass L2 packets from side to side - this includes
>> ARP - because the machines at the initiator left side are being given
>> IP addresses from a DHCP server located at the responder left side.
>>
>> Network description:
>>
>> - On the initiator machine I have a tap interface that's bridged with
>> eth0 that connects to a physical switch. The DHCP clients connect to
>> this switch.
>> I have several of these networks.
>> Each of these networks is a road-warrior style setup - the network can
>> pop up anywhere in the world.
>>
>> - On the responder machine I also have a tap interface that's bridged
>> with eth0 that connects to a switch. The DHCP server and other servers
>> connect to this switch.
>> I must assign IPs to the initiator-side-clients from the
>> responder-side DHCP server - I can't have DHCP servers on the remote
>> networks at the clients end (where the initiator lives).
>>
>>
>> Is there a way to tell strongswan/ipsec that it should take all the
>> traffic from the tap interface and push it through the tunnel to make
>> it appear at the other side tap interface?
>> If needed - I don't mind setting up multiple tap interfaces on the
>> responder - each serving one initiator.
>>
>> Can you please point me in the right direction?
>> Do you have an example similar to my scenario that I can look at to
>> learn from?
>>
>> Thank you very much.
>> A long time openvpn sysadmin now turned strongswan sysadmin!
>>
>>
More information about the Users
mailing list