Mark is only needed with VTIs. XFRM interfaces work with if_ids. Am December 20, 2019 5:09:41 PM UTC schrieb Felipe Arturo Polanco <[email protected]>: >Hi, > >I have done this before, it works fine. > >Just make sure you add a corresponding mark to both the definition of >the >ipsec0 interface and the Strongswan config for 0.0.0.0/0 > >XFRM looks for the most specific traffic selector when finding a match, >it >will check against route-based selector first and then will check >0.0.0.0/0 >at last. > >On Fri, Dec 20, 2019 at 12:57 PM Michael Schwartzkopff <[email protected]> >wrote: > >> On 20.12.19 17:42, Marco Berizzi wrote: >> > Hello everyone, >> > >> > I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel. >> > I was thinking to setup it with the new xfrm interfaces: >> > I don't need route all the 0.0.0.0/0 throught this vpn. >> > >> > My question is how 'route based' and 'policies based' >> > VPNs will coexist on the same linux box. >> > >> > For example, if I'm going to implement a 0.0.0.0/0 to >> > 0.0.0.0/0 vpn with the xfrm interfaces and then I will >> > route the traffic only for the 155.192.168.0/24 network >> > throught the ipsec0 device (for example), and then I >> > implement a classic policy based vpn (without the xfrm >> > interface) with the following traffic selectors >> > 166.172.16.0/24 and 177.16.172.0/24, what will happen? >> > Will the linux kernel process the packets for the >> > 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec >> > policy? >> > >> > Thanks >> > >> > Marco >> >> I think mixing policy and route based VPNs on the same machine with >> overlapping network ranges will cause trouble. I'd change to only >> route-based VPNs in that case. >> >> >> Mit freundlichen Grüßen, >> >> -- >> >> [*] sys4 AG >> >> https://sys4.de, +49 (89) 30 90 46 64 >> Schleißheimer Straße 26/MG,80333 München >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> Aufsichtsratsvorsitzender: Florian Kirstein >> >> >>
Sent from mobile
