[strongSwan] Unable to get route-based tunnel working with XFRM device
Tom Cannaerts
mot at tom.be
Thu Aug 13 17:22:07 CEST 2020
I'm trying to setup route-based tunnel using an xfrm interface, but it's
not clear to me on how to link the policy to the interface?
This is my ipsec.conf of router1 (currently lab based setup)
conn router2
fragmentation=yes
dpdaction=restart
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
keyingtries=%forever
leftid=192.168.100.101
leftauth=secret
rightauth=secret
leftsubnet=192.168.101.0/24
keyexchange=ikev2
right=192.168.100.102
rightsubnet=192.168.102.0/24
auto=start
This is how I'm creating the interface using iproute2
ip link add ipsec2 type xfrm dev eth0 if_id 0xff02
sysctl -w net.ipv4.conf.ipsec2.disable_policy=1
ip link set ipsec2 up
ip route add 192.168.102.0/24 dev ipsec2 metric 10
The tunnel is working and I can ping the other side. But it's not using the
route-based interface, it's using policy based. If I delete the static
route, I can still ping the other network.
In the RouteBasedVPN wiki, for vti devices you need to add the mask. For
xfrm devices it says "No awkward configuration via GRE keys and XFRM marks.
Instead, a new identifier (XFRM interface ID) links policies and SAs with
XFRM interfaces." but doesn't further specify how. If I add the mask=0xff02
to the connection in ipsec.conf, the tunnel is still brought up, but I
can't send any data over it.
Any idea what I am missing?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200813/fff5de9d/attachment.html>
More information about the Users
mailing list