[strongSwan] Unable to get route-based tunnel working with XFRM device

Tom Cannaerts mot at tom.be
Fri Aug 14 11:54:42 CEST 2020 

I've converted the config from ipsec.conf to swanctl.conf and got it
working. Thanks! The ipsec.conf does not appear to have an alternative for
the if_id_in/out parameters.

For those interested, I have a working docker-compose based lab setup up at
GitHub: https://github.com/TomCan/strongswan-xfrm-poc



Op do 13 aug. 2020 om 17:36 schreef Volodymyr Litovka <doka.ua at gmx.com>:

> Hi Tom,
>
> please, see below
>
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
>
> On 13 Aug 2020, at 18:22, Tom Cannaerts <mot at tom.be> wrote:
>
> I'm trying to setup route-based tunnel using an xfrm interface, but it's
> not clear to me on how to link the policy to the interface?
>
> This is my ipsec.conf of router1 (currently lab based setup)
>
> conn router2
>     fragmentation=yes
>     dpdaction=restart
>     ike=aes256-sha256-modp2048
>     esp=aes256-sha256-modp2048
>     keyingtries=%forever
>     leftid=192.168.100.101
>     leftauth=secret
>     rightauth=secret
>     leftsubnet=192.168.101.0/24
>     keyexchange=ikev2
>     right=192.168.100.102
>     rightsubnet=192.168.102.0/24
>     auto=start
>
>
> Since I’m using swanctl.conf, I don’t know, how it maps to old config, but
> there is no if_id_in/if_id_out parameters, which will connect it with xfrm
> interface. In my case it looks as shown below:
>
> connections {
>         conn1 {
>                 children {
>                         conn1-child {
>                                 if_id_in = 9
>                                 if_id_out = 9
>                         }
>                 }
>         }
> }
>
> This is how I'm creating the interface using iproute2
>
> ip link add ipsec2 type xfrm dev eth0 if_id 0xff02
> sysctl -w net.ipv4.conf.ipsec2.disable_policy=1
> ip link set ipsec2 up
> ip route add 192.168.102.0/24 dev ipsec2 metric 10
>
>
> I assign ip address directly to xfrm interface
>
> ip link add xfrm0 type xfrm dev lo if_id 9
> ip link set xfrm0 up
> ip link address add x.x.x.x/24 dev xfrm0
>
> And don’t forget to unload kernel-libipsec to avoid running in userland.
>
> Hope this’ll help.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200814/253818d9/attachment-0001.html>

More information about the Users mailing list