Re: [strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
On 2018-04-12 05:52, Noel Kuntze wrote: Thanks Noel, that was the direction I needed ! Your dhcp relay suggestion is a good one too. Back to the engineering lab for me :) Best regards. Hello, IPsec is a layer 3 tunneling protocol. The solution to your problem is to wrap a layer two tunneling protocol inside IPsec. On Linux, that could be a gretap tunnel, geneve, or other. There are many to choose. Check the man page of `ip tunnel` or the corresponding help message. Kind regards Noel On 11.04.2018 05:04, flyingrhino wrote: Hi, I am trying to connect a servers-network to several remote clients-networks using ipsec/strongswan. Normally I could do that easily at Layer 3 on my own without troubling the forum. However, I need to pass L2 packets from side to side - this includes ARP - because the machines at the initiator left side are being given IP addresses from a DHCP server located at the responder left side. Network description: - On the initiator machine I have a tap interface that's bridged with eth0 that connects to a physical switch. The DHCP clients connect to this switch. I have several of these networks. Each of these networks is a road-warrior style setup - the network can pop up anywhere in the world. - On the responder machine I also have a tap interface that's bridged with eth0 that connects to a switch. The DHCP server and other servers connect to this switch. I must assign IPs to the initiator-side-clients from the responder-side DHCP server - I can't have DHCP servers on the remote networks at the clients end (where the initiator lives). Is there a way to tell strongswan/ipsec that it should take all the traffic from the tap interface and push it through the tunnel to make it appear at the other side tap interface? If needed - I don't mind setting up multiple tap interfaces on the responder - each serving one initiator. Can you please point me in the right direction? Do you have an example similar to my scenario that I can look at to learn from? Thank you very much. A long time openvpn sysadmin now turned strongswan sysadmin!
Re: [strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
PS: A better idea would probably be to set up a dhcp relay on each initiator. On 11.04.2018 05:04, flyingrhino wrote: > Hi, > > I am trying to connect a servers-network to several remote clients-networks > using ipsec/strongswan. > Normally I could do that easily at Layer 3 on my own without troubling the > forum. > > However, I need to pass L2 packets from side to side - this includes ARP - > because the machines at the initiator left side are being given IP addresses > from a DHCP server located at the responder left side. > > Network description: > > - On the initiator machine I have a tap interface that's bridged with eth0 > that connects to a physical switch. The DHCP clients connect to this switch. > I have several of these networks. > Each of these networks is a road-warrior style setup - the network can pop up > anywhere in the world. > > - On the responder machine I also have a tap interface that's bridged with > eth0 that connects to a switch. The DHCP server and other servers connect to > this switch. > I must assign IPs to the initiator-side-clients from the responder-side DHCP > server - I can't have DHCP servers on the remote networks at the clients end > (where the initiator lives). > > > Is there a way to tell strongswan/ipsec that it should take all the traffic > from the tap interface and push it through the tunnel to make it appear at > the other side tap interface? > If needed - I don't mind setting up multiple tap interfaces on the responder > - each serving one initiator. > > Can you please point me in the right direction? > Do you have an example similar to my scenario that I can look at to learn > from? > > Thank you very much. > A long time openvpn sysadmin now turned strongswan sysadmin! > >
Re: [strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
Hello, IPsec is a layer 3 tunneling protocol. The solution to your problem is to wrap a layer two tunneling protocol inside IPsec. On Linux, that could be a gretap tunnel, geneve, or other. There are many to choose. Check the man page of `ip tunnel` or the corresponding help message. Kind regards Noel On 11.04.2018 05:04, flyingrhino wrote: > Hi, > > I am trying to connect a servers-network to several remote clients-networks > using ipsec/strongswan. > Normally I could do that easily at Layer 3 on my own without troubling the > forum. > > However, I need to pass L2 packets from side to side - this includes ARP - > because the machines at the initiator left side are being given IP addresses > from a DHCP server located at the responder left side. > > Network description: > > - On the initiator machine I have a tap interface that's bridged with eth0 > that connects to a physical switch. The DHCP clients connect to this switch. > I have several of these networks. > Each of these networks is a road-warrior style setup - the network can pop up > anywhere in the world. > > - On the responder machine I also have a tap interface that's bridged with > eth0 that connects to a switch. The DHCP server and other servers connect to > this switch. > I must assign IPs to the initiator-side-clients from the responder-side DHCP > server - I can't have DHCP servers on the remote networks at the clients end > (where the initiator lives). > > > Is there a way to tell strongswan/ipsec that it should take all the traffic > from the tap interface and push it through the tunnel to make it appear at > the other side tap interface? > If needed - I don't mind setting up multiple tap interfaces on the responder > - each serving one initiator. > > Can you please point me in the right direction? > Do you have an example similar to my scenario that I can look at to learn > from? > > Thank you very much. > A long time openvpn sysadmin now turned strongswan sysadmin! > >
[strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
Hi, I am trying to connect a servers-network to several remote clients-networks using ipsec/strongswan. Normally I could do that easily at Layer 3 on my own without troubling the forum. However, I need to pass L2 packets from side to side - this includes ARP - because the machines at the initiator left side are being given IP addresses from a DHCP server located at the responder left side. Network description: - On the initiator machine I have a tap interface that's bridged with eth0 that connects to a physical switch. The DHCP clients connect to this switch. I have several of these networks. Each of these networks is a road-warrior style setup - the network can pop up anywhere in the world. - On the responder machine I also have a tap interface that's bridged with eth0 that connects to a switch. The DHCP server and other servers connect to this switch. I must assign IPs to the initiator-side-clients from the responder-side DHCP server - I can't have DHCP servers on the remote networks at the clients end (where the initiator lives). Is there a way to tell strongswan/ipsec that it should take all the traffic from the tap interface and push it through the tunnel to make it appear at the other side tap interface? If needed - I don't mind setting up multiple tap interfaces on the responder - each serving one initiator. Can you please point me in the right direction? Do you have an example similar to my scenario that I can look at to learn from? Thank you very much. A long time openvpn sysadmin now turned strongswan sysadmin!