Hi Richard, > IP traffic --> Ethernet --> IP stack --> StrongSwan --> serial connection to > second machine --> IP Stack --> Ethernet > > Essentially I'm trying to ensure that the decrypted traffic doesn't go > back down the IP stack to the serial device as we need to assure that > the decrypted traffic can never pass through the same IP stack as the > encrypted traffic, thus providing a definitive separation of traffic > paths.
By default, strongSwan just handles IKE, and any ESP processing is done by the kernel using SAD/SPD information provided by the IKE daemon. With our kernel-libipsec backend, charon handles ESP packets as well using a TUN device to receive/inject plain packets into the networking stack. Instead of using a TUN backend, you could provide your custom logic that sends/receives over that serial line. To do so, you can implement your own plugin, use kernel-libipsec [1] as template. That plugin provides the glue for using the libipsec [2] userland ESP backend. Instead of connecting to the TUN in kernel_libipsec_router.c, you could attach your serial line. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/libcharon/plugins/kernel_libipsec [2]http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/libipsec _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
