[strongSwan] Route-based VPNs (XFRM Interfaces) vs policies based VPNs

Felipe Arturo Polanco felipeapolanco at gmail.com
Fri Dec 20 18:09:41 CET 2019


Hi,

I have done this before, it works fine.

Just make sure you add a corresponding mark to both the definition of the
ipsec0 interface and the Strongswan config for 0.0.0.0/0

XFRM looks for the most specific traffic selector when finding a match, it
will check against route-based selector first and then will check 0.0.0.0/0
at last.

On Fri, Dec 20, 2019 at 12:57 PM Michael Schwartzkopff <ms at sys4.de> wrote:

> On 20.12.19 17:42, Marco Berizzi wrote:
> > Hello everyone,
> >
> > I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
> > I was thinking to setup it with the new xfrm interfaces:
> > I don't need route all the 0.0.0.0/0 throught this vpn.
> >
> > My question is how 'route based' and 'policies based'
> > VPNs will coexist on the same linux box.
> >
> > For example, if I'm going to implement a 0.0.0.0/0 to
> > 0.0.0.0/0 vpn with the xfrm interfaces and then I will
> > route the traffic only for the 155.192.168.0/24 network
> > throught the ipsec0 device (for example), and then I
> > implement a classic policy based vpn (without the xfrm
> > interface) with the following traffic selectors
> > 166.172.16.0/24 and 177.16.172.0/24, what will happen?
> > Will the linux kernel process the packets for the
> > 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec
> > policy?
> >
> > Thanks
> >
> > Marco
>
> I think mixing policy and route based VPNs on the same machine with
> overlapping network ranges will cause trouble. I'd change to only
> route-based VPNs in that case.
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191220/0ced35a8/attachment.html>


More information about the Users mailing list