Hello, IPsec is a layer 3 tunneling protocol. The solution to your problem is to wrap a layer two tunneling protocol inside IPsec. On Linux, that could be a gretap tunnel, geneve, or other. There are many to choose. Check the man page of `ip tunnel` or the corresponding help message.
Kind regards Noel On 11.04.2018 05:04, flyingrhino wrote: > Hi, > > I am trying to connect a servers-network to several remote clients-networks > using ipsec/strongswan. > Normally I could do that easily at Layer 3 on my own without troubling the > forum. > > However, I need to pass L2 packets from side to side - this includes ARP - > because the machines at the initiator left side are being given IP addresses > from a DHCP server located at the responder left side. > > Network description: > > - On the initiator machine I have a tap interface that's bridged with eth0 > that connects to a physical switch. The DHCP clients connect to this switch. > I have several of these networks. > Each of these networks is a road-warrior style setup - the network can pop up > anywhere in the world. > > - On the responder machine I also have a tap interface that's bridged with > eth0 that connects to a switch. The DHCP server and other servers connect to > this switch. > I must assign IPs to the initiator-side-clients from the responder-side DHCP > server - I can't have DHCP servers on the remote networks at the clients end > (where the initiator lives). > > > Is there a way to tell strongswan/ipsec that it should take all the traffic > from the tap interface and push it through the tunnel to make it appear at > the other side tap interface? > If needed - I don't mind setting up multiple tap interfaces on the responder > - each serving one initiator. > > Can you please point me in the right direction? > Do you have an example similar to my scenario that I can look at to learn > from? > > Thank you very much. > A long time openvpn sysadmin now turned strongswan sysadmin! > >
