[strongSwan] Reinventing the wheel (not): updown and multiple children

Carlos G Mendioroz tron at huapi.ba.ar
Tue Feb 1 16:23:38 CET 2022 

Well, after not much time I figured that using the route table as a 
counter would be a reasonable choice. So here, just in case it helps 
someone else, a seemingly working updown script that handles routed or 
policy ends, using XFRM interfaces.
If used with 5 params, it creates a point to point XFRM. If used with 4, 
it creates an adressless (unnumbered?) interfaces and assigns a route 
through it.


#!/bin/bash
#
# /etc/ipsec-vti.sh
#
LOCAL_IF=${1}
VTI_IF=${2}
IF_ID=${3}
VTI_LOCALADDR=${4}
VTI_REMOTEADDR=${5}

case "${PLUTO_VERB}" in
up-client)
if ! ip -br link show dev ${VTI_IF} >/dev/null 2>/dev/null
then
         ip link add ${VTI_IF} type xfrm dev ${LOCAL_IF} if_id ${IF_ID}
         ip link set ${VTI_IF} up mtu 1436
fi
if [ -z "${VTI_REMOTEADDR}" ]
then
         ip route add ${VTI_LOCALADDR} dev ${VTI_IF} table 220
else
         ip addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_IF}
fi
iptables -t mangle -I FORWARD -o ${VTI_IF} -p tcp -m tcp --tcp-flags 
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
;;
down-client)
if [ -z "${VTI_REMOTEADDR}" ]
then
         ip route delete ${VTI_LOCALADDR} dev ${VTI_IF} table 220
fi
if ip -o route ls table 220
then
         ip link del ${VTI_IF}
fi
iptables -t mangle -D FORWARD -o ${VTI_IF} -p tcp -m tcp --tcp-flags 
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
;;
esac


Carlos G Mendioroz @ 1/2/2022 11:42 -0300 dixit:
> I'm trying to come up with an updown script for xfrm interface handling.
> So far I've managed to get routed working, now I want to have policy 
> based VPNs covered too.
> 
> But then I assume I have to create the XFRM only if it's not there 
> already, and then manage adding routes to a table much like starter does.
> 
> Is there an easy way to know when to remove the interface ?
> (so last updown call actually deletes the interface when going down)
> Counting would be the sure way, but may be there's a hook already built 
> in ?
> 
> TIA,

-- 
Carlos G Mendioroz  <tron at huapi.ba.ar>  LW7 EQI  Argentina

More information about the Users mailing list