[strongSwan] StrongSwan w/ multiple local subnets.

[Brian Topping]

> On Jun 20, 2020, at 12:08 AM, TomK <tomkcpr at mdevsys.com> wrote:
> 
> However, I'll have to read it more thoroughly later on to be sure of that.  If you can shed more light on this, that will help.   Shouldn't ipsec configure the interfaces correctly?  It does create ipsec01 so thought that would suffice.

I believe the interface creation is sufficiently unique across the matrix of OSs that StrongSWAN runs on that it’s too resource intensive from a developer perspective to handle this reliably.

> Had a quick glance at the pages. Some of the commands and modules aren't available (ie xfrmi) on DD-WRT however so I'll have to have a closer look later this weekend.  If you could provide more details that will help.

I run OpenWRT on one of my boxes, but it’s not a tunnel endpoint. DD-WRT et all are perfect examples where interface creation and kernel functionality is widely variant. So I don’t have a good answer for you how it should be created, sorry. 

I realized after sending the link I pasted to you was one I had in my history, I didn’t mean to imply to use xfrm. It’s great if you *can*, but I believe that interface is only stable on later Linux kernels and almost assuredly not supported everywhere (maybe anywhere?). Fallbacks are VTI and GRE constructions, in that order of desirability. 

Maybe others will have more information for you!