[strongSwan] Reinventing the wheel (not): updown and multiple children
Tobias Brunner
tobias at strongswan.org
Tue Feb 1 16:30:30 CET 2022
Hi Carlos,
> I'm trying to come up with an updown script for xfrm interface handling.
> So far I've managed to get routed working, now I want to have policy
> based VPNs covered too.
>
> But then I assume I have to create the XFRM only if it's not there
> already, and then manage adding routes to a table much like starter does.
>
> Is there an easy way to know when to remove the interface ?
> (so last updown call actually deletes the interface when going down)
> Counting would be the sure way, but may be there's a hook already built in ?
If your goal is that all children share the same interface, you can
create one in the ike-updown VICI event (not the updown script, which is
called for every combination of local and remote TS of every CHILD_SA).
There is an example script [1] in the route-based/net2net-xfrmi-ike
test scenario [2]. You could also create the interface independent of
any IKE or Child SA related events e.g. via charon.start-scripts or when
the system starts.
Regards,
Tobias
[1]
https://github.com/strongswan/strongswan/blob/master/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py
[2]
https://www.strongswan.org/testing/testresults/route-based/net2net-xfrmi-ike/
More information about the Users
mailing list