On Tue, 5 Apr 2016, Timo Teras wrote:
quagga master tree soon (and also opennhrp [2] - the earlier
implementation of nhrp with racoon). I also worked on the Linux kernel
IPsec/GRE drivers to make NBMA mode work.
All of this implement NHRP protocol which along with NBMA GRE-tunnels
and IPsec can be used to implement Cisco DMVPN [3].
That's great!
1. Initiate IKE+CHILD SA of specific connection to specific host. That
is nhrp provides the connection name, and left/right IP-addresses
(roughly equivalent of kernel sent acquire).
2. Terminate all SAs given the connection name, and IP-addresses.
That can be done with whack (see below)
3. Get information of IKE SA authentications (preferably including the
DER certificate if using x509). This information is sent to optional
nhrp triggers for authentication (e.g. to verify gre ip-addresses
against the certificate before allowing their registration).
That is something we will have to add. Can you explain in a little more
details what you need.
4. Get information of CHILD SAs. The idea is that nhrp can then flush
all nhrp mappings when last CHILD SA expires (or is killed by DPD).
so we have ipsec whack --trafficstatus but I guess you want a listing
of "conn-name source/mask <-> dest/mask" ? If there are many like you
suggest, would you want to ask pluto based on a conn name or a prefix?
It seems that this is almost possible by means of whack and updown
scripts. However, this would mean a lot of fork+exec on busy nodes (100
to 10.000 active tunnels). Also the whack abi seems to be unstable, so
in practice I'd need to exec the whack utility to do the work.
So I'm wondering if there would be interest to get a more stable api to
control libreswan supporting (at least) the above three features.
Ideally, it'd be single unix socket connection that is event based
(asynchronous) and accepts initiate/terminate requests and provides the
ike/child sa notifications (+ sa db synchronization on connect in case
nhrpd is restarted).
Whack in the end is also a simple socket, and you could implement whack
in your app so you can just use a socket. But perhaps we need to give
you a separate socket so there is no risk of accidentally blocking.
Thanks for reaching out to us, and let's keep the conversation going
to make this work with libreswan.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
