Hi Vivek, vivek bairathi wrote: > Hi all, > > I have a requirement for creating tunnel SAs. After reading > strongswan documentation and code I arrived at the following > conclusion:- > > 1. left| right source IP in the conn section of ipsec.conf is used to > specify the internal IP in the tunnel( virtual IP). The external > tunnel IP will be filled in left| right parameters. Is this assumtion > correct? > This is not correct. Let us assume that left is local and right is remote. Then
leftsourceip=<virtual IP address> or leftsourceip=%config define a virtual IP address to be used as source address within the IPsec tunnel. This is equivalent to setting the source traffic selector to leftsubnet=<virtual IP address>/32 but does not change in any way left= which is used as the source address of the ESP packet. > > 2. How does the stack distinguish that the IPaddress that is being > added is external IP or internal IP in the tunnel ? > See point 1 above. > 3. How does the addition/deletion of external tunnel IP address and > internal IP handled differently by the charon? > Available external IP addresses are automatically detected by strongSwan using RT_NETLINK. E.g. defining left=%any will select the outer source address based on the actual route to right. This can be very helpful in multi-homing environments. Virtual IP addresses are installed and by strongSwan via RT_NETLINK by adding a new virtual IP address as an alias of the physical interface used. ip addr list dev eth0 will show the virtual IPs associated with eth0. By installing a source route in table 220 which is shown by the command ip route list table 220 All plaintext packets with destination "rightsubnet" will assume the virtual IP as their source address before being encapsulated by ESP. > Thanks & Regards, > Vivek Regards Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
