Hi Carlos,
I'm trying to come up with an updown script for xfrm interface handling.
So far I've managed to get routed working, now I want to have policy
based VPNs covered too.
But then I assume I have to create the XFRM only if it's not there
already, and then manage adding routes to a table much like starter does.
Is there an easy way to know when to remove the interface ?
(so last updown call actually deletes the interface when going down)
Counting would be the sure way, but may be there's a hook already built in ?
If your goal is that all children share the same interface, you can
create one in the ike-updown VICI event (not the updown script, which is
called for every combination of local and remote TS of every CHILD_SA).
There is an example script [1] in the route-based/net2net-xfrmi-ike
test scenario [2]. You could also create the interface independent of
any IKE or Child SA related events e.g. via charon.start-scripts or when
the system starts.
Regards,
Tobias
[1]
https://github.com/strongswan/strongswan/blob/master/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py
[2]
https://www.strongswan.org/testing/testresults/route-based/net2net-xfrmi-ike/
