[strongSwan] Bind charon to specific interfaces

[Marcel Menzel]

Hello List,

I am asking if there is a way to bind charon to specific interfaces, as 
apparently the "interfaces_use" option in charon.conf only makes charon 
ignore arriving packets on other intefaces, not actually binding to them.

My background asking this is as I am working with VRFs and the docs 
about Route-based VPNs mentioning XFRM interfaces can be bound to VRF 
master interfaces but charon itself apparently not:

           XFRM interfaces can be associated to a VRF layer 3 master 
device, so any tunnel terminated by an XFRM interface implicitly is 
bound to that VRF domain. For example, this allows multi-tenancy setups 
where traffic from different tunnels can be separated and routed over 
different interfaces.

So configuring interfaces_use to the VRF master device of one dummy 
interface bound to a VRF makes charon still listen to "0.0.0.0/0" & 
"::/0" in the main VRF. For being able to receive ISAKMP packets in a 
VRF now I have to use the "l3mdev hack" and set 
"net.ipv4.udp_l3mdev_accept" to 1 as every VRF has a default unreachable 
route with a high metric in it as I'd like to avoid having to leak 
routes into the main VRF.


Kind regards,

Marcel Menzel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220315/1dc79159/attachment.html>