[strongSwan] Unable to get route-based tunnel working with XFRM device
Tom Cannaerts
mot at tom.be
Fri Aug 14 11:54:42 CEST 2020
I've converted the config from ipsec.conf to swanctl.conf and got it
working. Thanks! The ipsec.conf does not appear to have an alternative for
the if_id_in/out parameters.
For those interested, I have a working docker-compose based lab setup up at
GitHub: https://github.com/TomCan/strongswan-xfrm-poc
Op do 13 aug. 2020 om 17:36 schreef Volodymyr Litovka <doka.ua at gmx.com>:
> Hi Tom,
>
> please, see below
>
> --
> Volodymyr Litovka
> "Vision without Execution is Hallucination." -- Thomas Edison
>
> On 13 Aug 2020, at 18:22, Tom Cannaerts <mot at tom.be> wrote:
>
> I'm trying to setup route-based tunnel using an xfrm interface, but it's
> not clear to me on how to link the policy to the interface?
>
> This is my ipsec.conf of router1 (currently lab based setup)
>
> conn router2
> fragmentation=yes
> dpdaction=restart
> ike=aes256-sha256-modp2048
> esp=aes256-sha256-modp2048
> keyingtries=%forever
> leftid=192.168.100.101
> leftauth=secret
> rightauth=secret
> leftsubnet=192.168.101.0/24
> keyexchange=ikev2
> right=192.168.100.102
> rightsubnet=192.168.102.0/24
> auto=start
>
>
> Since I’m using swanctl.conf, I don’t know, how it maps to old config, but
> there is no if_id_in/if_id_out parameters, which will connect it with xfrm
> interface. In my case it looks as shown below:
>
> connections {
> conn1 {
> children {
> conn1-child {
> if_id_in = 9
> if_id_out = 9
> }
> }
> }
> }
>
> This is how I'm creating the interface using iproute2
>
> ip link add ipsec2 type xfrm dev eth0 if_id 0xff02
> sysctl -w net.ipv4.conf.ipsec2.disable_policy=1
> ip link set ipsec2 up
> ip route add 192.168.102.0/24 dev ipsec2 metric 10
>
>
> I assign ip address directly to xfrm interface
>
> ip link add xfrm0 type xfrm dev lo if_id 9
> ip link set xfrm0 up
> ip link address add x.x.x.x/24 dev xfrm0
>
> And don’t forget to unload kernel-libipsec to avoid running in userland.
>
> Hope this’ll help.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200814/253818d9/attachment-0001.html>
More information about the Users
mailing list