On Tue, 11 Jun 2019, Antony Antony wrote:
XFRMi seems to be picking up fast. A proposed patch to OpenWRT network
scripts would add support for an xfrm device. I guess we/Libreswan should
merge our branch soon!
Cool. What is preventing the branch from being merged right now?
OpenWRT patch proposal suggest the whole interface creation and its
lifecycle could be managed by system network scripts.
I imagine on Debian/Fedora systemd-networkd would get similar support soon.
Or may be NetworkManager. I am not sure.
I think it is certainly something we want to support. If a connection is
configured with mark=, and something else creates the interface, are we
still expected to change the routing too?
Note they also planned to add ip address there. I wonder how this would work
in various cases, road warrior, or BGP/routing protocol situations.
I guess it would only work for the static IP cases? Which seems to be
the more likely case for openwrt anyway?
This package adds scripts for xfrm interfaces support.
Example configuration via /etc/config/network:
config interface 'xfrm0'
option proto 'xfrm'
option mtu '1300'
option zone 'VPN'
option tunlink 'wan'
option ifid 30
Ok so that would pre-create the interface. But if they already route
into it without ipsec running, packets would be lost. That could be a
bug or a feature, depending on your view.
config interface 'xfrm0_static'
option proto 'static'
option ifname '@xfrm0'
option ip6addr 'fe80::1/64'
option ipaddr '10.0.0.1/30'
I guess _static is a generic way to configure an interface? Kind of odd
it needs a seperate section.
Now set in strongswan IPsec policy:
if_id_in = 30
if_id_out = 30
right, which for us would be mark=30/0xffffffff
(we should support mark's without mask, but our parser doesn't like to
get only numbers for a string)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
