Hi, I have done this before, it works fine.
Just make sure you add a corresponding mark to both the definition of the ipsec0 interface and the Strongswan config for 0.0.0.0/0 XFRM looks for the most specific traffic selector when finding a match, it will check against route-based selector first and then will check 0.0.0.0/0 at last. On Fri, Dec 20, 2019 at 12:57 PM Michael Schwartzkopff <[email protected]> wrote: > On 20.12.19 17:42, Marco Berizzi wrote: > > Hello everyone, > > > > I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel. > > I was thinking to setup it with the new xfrm interfaces: > > I don't need route all the 0.0.0.0/0 throught this vpn. > > > > My question is how 'route based' and 'policies based' > > VPNs will coexist on the same linux box. > > > > For example, if I'm going to implement a 0.0.0.0/0 to > > 0.0.0.0/0 vpn with the xfrm interfaces and then I will > > route the traffic only for the 155.192.168.0/24 network > > throught the ipsec0 device (for example), and then I > > implement a classic policy based vpn (without the xfrm > > interface) with the following traffic selectors > > 166.172.16.0/24 and 177.16.172.0/24, what will happen? > > Will the linux kernel process the packets for the > > 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec > > policy? > > > > Thanks > > > > Marco > > I think mixing policy and route based VPNs on the same machine with > overlapping network ranges will cause trouble. I'd change to only > route-based VPNs in that case. > > > Mit freundlichen Grüßen, > > -- > > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > >
