[strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel

flyingrhino flyingrhino at orcon.net.nz
Wed Apr 11 23:28:09 CEST 2018

On 2018-04-12 05:52, Noel Kuntze wrote:

Thanks Noel, that was the direction I needed !
Your dhcp relay suggestion is a good one too.
Back to the engineering lab for me :)

Best regards.

> Hello,
> IPsec is a layer 3 tunneling protocol. The solution to your problem is
> to wrap a layer two tunneling protocol inside IPsec. On Linux, that
> could be a gretap tunnel, geneve, or other. There are many to choose.
> Check the man page of `ip tunnel` or the corresponding help message.
> Kind regards
> Noel
> On 11.04.2018 05:04, flyingrhino wrote:
>> Hi,
>> I am trying to connect a servers-network to several remote 
>> clients-networks using ipsec/strongswan.
>> Normally I could do that easily at Layer 3 on my own without troubling 
>> the forum.
>> However, I need to pass L2 packets from side to side - this includes 
>> ARP - because the machines at the initiator left side are being given 
>> IP addresses from a DHCP server located at the responder left side.
>> Network description:
>> - On the initiator machine I have a tap interface that's bridged with 
>> eth0 that connects to a physical switch. The DHCP clients connect to 
>> this switch.
>> I have several of these networks.
>> Each of these networks is a road-warrior style setup - the network can 
>> pop up anywhere in the world.
>> - On the responder machine I also have a tap interface that's bridged 
>> with eth0 that connects to a switch. The DHCP server and other servers 
>> connect to this switch.
>> I must assign IPs to the initiator-side-clients from the 
>> responder-side DHCP server - I can't have DHCP servers on the remote 
>> networks at the clients end (where the initiator lives).
>> Is there a way to tell strongswan/ipsec that it should take all the 
>> traffic from the tap interface and push it through the tunnel to make 
>> it appear at the other side tap interface?
>> If needed - I don't mind setting up multiple tap interfaces on the 
>> responder - each serving one initiator.
>> Can you please point me in the right direction?
>> Do you have an example similar to my scenario that I can look at to 
>> learn from?
>> Thank you very much.
>> A long time openvpn sysadmin now turned strongswan sysadmin!

More information about the Users mailing list