[strongSwan] Route-based VPNs (XFRM Interfaces) vs policies based VPNs

Michael Schwartzkopff ms at sys4.de
Fri Dec 20 17:56:51 CET 2019


On 20.12.19 17:42, Marco Berizzi wrote:
> Hello everyone,
>
> I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
> I was thinking to setup it with the new xfrm interfaces:
> I don't need route all the 0.0.0.0/0 throught this vpn.
>
> My question is how 'route based' and 'policies based'
> VPNs will coexist on the same linux box.
>
> For example, if I'm going to implement a 0.0.0.0/0 to
> 0.0.0.0/0 vpn with the xfrm interfaces and then I will
> route the traffic only for the 155.192.168.0/24 network
> throught the ipsec0 device (for example), and then I
> implement a classic policy based vpn (without the xfrm
> interface) with the following traffic selectors
> 166.172.16.0/24 and 177.16.172.0/24, what will happen?
> Will the linux kernel process the packets for the
> 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec
> policy?
>
> Thanks
>
> Marco

I think mixing policy and route based VPNs on the same machine with
overlapping network ranges will cause trouble. I'd change to only
route-based VPNs in that case.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191220/e6c3e2b8/attachment.sig>


More information about the Users mailing list