xfrmi branch got a bit more testing on OpenWRT without NAT cases and rebased to current master. thanks to Paul and @lucize on github for testing.
testing was focused on road warrior setup and OpenWRT peer-to-peer setup. @lucize brought up one issue. https://github.com/libreswan/libreswan/issues/278#issuecomment-568001203 It is bit complex issue related routed vpn and 0/0 - 0/0 tunnels and adding routes dynamically. At this moment I think it is possibly a kernel-xfrm issue than a Libreswan only issue. However note this is something that works on VTI and not on xfrmi. this morning in a testrun I noticed a bunch of coredump from addcon https://swantest.libreswan.fi/s2/v3.28-1487-g3d33747478-testrun-xfrmi/ I will investigate addcon crash today. There is on unexpected Netlink error I put in hack. I need to look at it further, possibly after merge to master. current configuration option is ipsec-interface=no|yes|<n> where n = 1..UINT32_MAX Note 0x is necessary. IPv6 and xfrmi may not work in all cases. ipv6 up-down script need more work. My plan resolve addconn issue is, a new testrun. If there are no major issues I will merge. regards, -antony On Thu, Dec 05, 2019 at 07:38:23AM +0100, Antony Antony wrote: > Here is an update from my side. I rebased the branch. It seems to pass test > cases, console output need fixing due to changes master. > > I briefly saw on Paul's laptop xfrmi did not work for him. I tried to > reproduce it no luck so far. May be something to do with WiFi and other > interfaces? I need more details for this case. > > the keyword parsing at them moment is a bit odd. > ipsec-interface=yes|no|<n in hex> > It would be nice to allow decimal numbers. On the other hand we can probably > start with hex:) and fix it soon. > > If you have specific use cases that need routed vpn please test and give > feed back. > > I am not confident to merge to master. The updown script need more testing. > > -antony > > test run: > PS https://swantest.libreswan.fi/s2/v3.28-1263-gc1acc431aa-xfrmi-tesrun/ > > On Mon, Nov 04, 2019 at 01:24:46PM +0100, Antony Antony wrote: > > Initial support for ipsec device for Libreswan using Linux XFRMi. The > > kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or > > later kernel and the matching header files to compile this branch. > > > > Please test it if you can, also it would be great to receive feedback on > > this development branch. > > > > Hopefully it would get merged into libresan 3.30 or 3.31. > > > > To get the source code #xfrmi > > git clone -b xfrmi https://github.com/antonyantony/libreswan > > > > more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The > > configuration and keyword is likely change. Now it is > > > > "ipsec-interface=yes", "yes|no|<n>" option. > > > > I am also hopping to make this work for advanced route based VPN use cases. > > That may need changes to pluto's idea route, back in the days "route" was > > destination only. Currently with iproute2 we can do more advanced things > > such as source and destination based routing. > > > > Anyone using systemd-networkd here? I think it can support xfrm type > > device. > > Let me know if you can test systemd-networkd support. Also OpenWRT is known > > to have xfrm device support. > > > > regards, > > -antony > > _______________________________________________ > > Swan-dev mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
