[strongSwan] Route-based VPNs (XFRM Interfaces) vs policies based VPNs

Fri Dec 20 18:00:46 CET 2019

*immediate from-mobile contradiction*

Policies will be applied before any route based VPN are in play. So in your examples the policy will be applied. Take care that strongSwan is configured to insert the routes. Otherwise source IP selection can be a problem.

Kind regards

Noel

Sent from mobile

Am December 20, 2019 4:56:51 PM UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>On 20.12.19 17:42, Marco Berizzi wrote:
>> Hello everyone,
>>
>> I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
>> I was thinking to setup it with the new xfrm interfaces:
>> I don't need route all the 0.0.0.0/0 throught this vpn.
>>
>> My question is how 'route based' and 'policies based'
>> VPNs will coexist on the same linux box.
>>
>> For example, if I'm going to implement a 0.0.0.0/0 to
>> 0.0.0.0/0 vpn with the xfrm interfaces and then I will
>> route the traffic only for the 155.192.168.0/24 network
>> throught the ipsec0 device (for example), and then I
>> implement a classic policy based vpn (without the xfrm
>> interface) with the following traffic selectors
>> 166.172.16.0/24 and 177.16.172.0/24, what will happen?
>> Will the linux kernel process the packets for the
>> 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec
>> policy?
>>
>> Thanks
>>
>> Marco
>
>I think mixing policy and route based VPNs on the same machine with
>overlapping network ranges will cause trouble. I'd change to only
>route-based VPNs in that case.
>
>
>Mit freundlichen Grüßen,
>
>-- 
>
>[*] sys4 AG
> 
>https://sys4.de, +49 (89) 30 90 46 64
>Schleißheimer Straße 26/MG,80333 München
> 
>Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191220/f6bc49f8/attachment.html>