Hi all, I am the author of Quagga/NHRP [1] module which is due to be merged to quagga master tree soon (and also opennhrp [2] - the earlier implementation of nhrp with racoon). I also worked on the Linux kernel IPsec/GRE drivers to make NBMA mode work.
All of this implement NHRP protocol which along with NBMA GRE-tunnels and IPsec can be used to implement Cisco DMVPN [3]. The current Quagga/NHRP code works with strongSwan, but I am now looking into implementing similar integration with libreswan. Basically I would need a way to: 1. Initiate IKE+CHILD SA of specific connection to specific host. That is nhrp provides the connection name, and left/right IP-addresses (roughly equivalent of kernel sent acquire). 2. Terminate all SAs given the connection name, and IP-addresses. 3. Get information of IKE SA authentications (preferably including the DER certificate if using x509). This information is sent to optional nhrp triggers for authentication (e.g. to verify gre ip-addresses against the certificate before allowing their registration). 4. Get information of CHILD SAs. The idea is that nhrp can then flush all nhrp mappings when last CHILD SA expires (or is killed by DPD). It seems that this is almost possible by means of whack and updown scripts. However, this would mean a lot of fork+exec on busy nodes (100 to 10.000 active tunnels). Also the whack abi seems to be unstable, so in practice I'd need to exec the whack utility to do the work. So I'm wondering if there would be interest to get a more stable api to control libreswan supporting (at least) the above three features. Ideally, it'd be single unix socket connection that is event based (asynchronous) and accepts initiate/terminate requests and provides the ike/child sa notifications (+ sa db synchronization on connect in case nhrpd is restarted). Thoughts? Thanks, Timo [1] http://git.alpinelinux.org/cgit/user/tteras/quagga/?h=nhrp [2] https://sourceforge.net/projects/opennhrp/ [3] http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
