Hi Ryan, > I have an application scenario where I need to test Nested IPsec Tunnels.
> I googled and came up with some old threads talking about how this isn't > supported with strongSwan unless I use two boxes, or a VM to route the > traffic through again. Is this still the case? Yes, this is still the case. To manage its own tunnels, IKE traffic must be exempted from the negotiated tunnel. strongSwan does this globally using IPsec bypass policies. This implies that IKE never goes over any negotiated tunnel, and prevents nested tunnels. So unless you want to change that IPsec bypass policy behavior, running one instance in a VM is probably the best option. Maybe even running two strongSwan instances in their own network namespace works, but I've never tried that. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
