[strongSwan] Unable to get route-based tunnel working with XFRM device
Volodymyr Litovka
doka.ua at gmx.com
Thu Aug 13 17:36:03 CEST 2020
Hi Tom,
please, see below
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
> On 13 Aug 2020, at 18:22, Tom Cannaerts <mot at tom.be> wrote:
>
> I'm trying to setup route-based tunnel using an xfrm interface, but it's not clear to me on how to link the policy to the interface?
>
> This is my ipsec.conf of router1 (currently lab based setup)
>
> conn router2
> fragmentation=yes
> dpdaction=restart
> ike=aes256-sha256-modp2048
> esp=aes256-sha256-modp2048
> keyingtries=%forever
> leftid=192.168.100.101
> leftauth=secret
> rightauth=secret
> leftsubnet=192.168.101.0/24 <http://192.168.101.0/24>
> keyexchange=ikev2
> right=192.168.100.102
> rightsubnet=192.168.102.0/24 <http://192.168.102.0/24>
> auto=start
Since I’m using swanctl.conf, I don’t know, how it maps to old config, but there is no if_id_in/if_id_out parameters, which will connect it with xfrm interface. In my case it looks as shown below:
connections {
conn1 {
children {
conn1-child {
if_id_in = 9
if_id_out = 9
}
}
}
}
> This is how I'm creating the interface using iproute2
>
> ip link add ipsec2 type xfrm dev eth0 if_id 0xff02
> sysctl -w net.ipv4.conf.ipsec2.disable_policy=1
> ip link set ipsec2 up
> ip route add 192.168.102.0/24 <http://192.168.102.0/24> dev ipsec2 metric 10
I assign ip address directly to xfrm interface
ip link add xfrm0 type xfrm dev lo if_id 9
ip link set xfrm0 up
ip link address add x.x.x.x/24 dev xfrm0
And don’t forget to unload kernel-libipsec to avoid running in userland.
Hope this’ll help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200813/9b11f245/attachment.html>
More information about the Users
mailing list