[strongSwan] Route-based VPNs (XFRM Interfaces) vs policies based VPNs

noel.kuntze+strongswan-users-ml at thermi.consulting noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Dec 20 18:18:08 CET 2019


Mark is only needed with VTIs. XFRM interfaces work with if_ids.

Am December 20, 2019 5:09:41 PM UTC schrieb Felipe Arturo Polanco <felipeapolanco at gmail.com>:
>Hi,
>
>I have done this before, it works fine.
>
>Just make sure you add a corresponding mark to both the definition of
>the
>ipsec0 interface and the Strongswan config for 0.0.0.0/0
>
>XFRM looks for the most specific traffic selector when finding a match,
>it
>will check against route-based selector first and then will check
>0.0.0.0/0
>at last.
>
>On Fri, Dec 20, 2019 at 12:57 PM Michael Schwartzkopff <ms at sys4.de>
>wrote:
>
>> On 20.12.19 17:42, Marco Berizzi wrote:
>> > Hello everyone,
>> >
>> > I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
>> > I was thinking to setup it with the new xfrm interfaces:
>> > I don't need route all the 0.0.0.0/0 throught this vpn.
>> >
>> > My question is how 'route based' and 'policies based'
>> > VPNs will coexist on the same linux box.
>> >
>> > For example, if I'm going to implement a 0.0.0.0/0 to
>> > 0.0.0.0/0 vpn with the xfrm interfaces and then I will
>> > route the traffic only for the 155.192.168.0/24 network
>> > throught the ipsec0 device (for example), and then I
>> > implement a classic policy based vpn (without the xfrm
>> > interface) with the following traffic selectors
>> > 166.172.16.0/24 and 177.16.172.0/24, what will happen?
>> > Will the linux kernel process the packets for the
>> > 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec
>> > policy?
>> >
>> > Thanks
>> >
>> > Marco
>>
>> I think mixing policy and route based VPNs on the same machine with
>> overlapping network ranges will cause trouble. I'd change to only
>> route-based VPNs in that case.
>>
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
>>

Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191220/ea223339/attachment-0001.html>


More information about the Users mailing list