Hi, I am familiar with configuring policy-based VPN using strongSwan, and I have recently set up route-based VPN using strongSwan. I am wondering whether one can simultaneously setup and use route-based and policy-based connections in the same gateway. Can someone confirm the same? As per my understanding policy-based VPN requires strongSwan to install routes in table 220. Whereas in route-based VPN route installation by Charon must be disabled. Therefore for both types of connections to co-exist, I guess there needs to be a way to configure whether route installation is done or not on a per-connection basis in ipsec.conf instead of having a global configuration in charon.conf. Also, I am wondering why one has to disable XFRM & Policy on the uplink (local endpoint) interface in case of route-based VPN. Is is because we don't want ESP packets going from VTI to uplink interface in the egress path to be subject to IPSec processing again? I doubt i that is the reason because my understanding is that it is the "mark" which dictates if IPSec processing is applicable to an interface or not. IMO even though the local & remote selectors used in route-based connection are 0.0.0.0/0, IPSec processing will be skipped at the uplink since there is no match w.r.t. SA mark. Can someone please explain the significance of the requirement for disabling XFRM & policy on uplink interface? If anyone has already succeeded using route-based & policy-based VPN together in the same box using strongSwan, I'd appreciate if they can share the configs.
Thanks, Sandesh
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
