IPsec is a layer 3 tunneling protocol. The solution to your problem is to wrap 
a layer two tunneling protocol inside IPsec. On Linux, that could be a gretap 
tunnel, geneve, or other. There are many to choose.
Check the man page of `ip tunnel` or the corresponding help message.

Kind regards


On 11.04.2018 05:04, flyingrhino wrote:
> Hi,
> I am trying to connect a servers-network to several remote clients-networks 
> using ipsec/strongswan.
> Normally I could do that easily at Layer 3 on my own without troubling the 
> forum.
> However, I need to pass L2 packets from side to side - this includes ARP - 
> because the machines at the initiator left side are being given IP addresses 
> from a DHCP server located at the responder left side.
> Network description:
> - On the initiator machine I have a tap interface that's bridged with eth0 
> that connects to a physical switch. The DHCP clients connect to this switch.
> I have several of these networks.
> Each of these networks is a road-warrior style setup - the network can pop up 
> anywhere in the world.
> - On the responder machine I also have a tap interface that's bridged with 
> eth0 that connects to a switch. The DHCP server and other servers connect to 
> this switch.
> I must assign IPs to the initiator-side-clients from the responder-side DHCP 
> server - I can't have DHCP servers on the remote networks at the clients end 
> (where the initiator lives).
> Is there a way to tell strongswan/ipsec that it should take all the traffic 
> from the tap interface and push it through the tunnel to make it appear at 
> the other side tap interface?
> If needed - I don't mind setting up multiple tap interfaces on the responder 
> - each serving one initiator.
> Can you please point me in the right direction?
> Do you have an example similar to my scenario that I can look at to learn 
> from?
> Thank you very much.
> A long time openvpn sysadmin now turned strongswan sysadmin!

Reply via email to