Hi,
I am looking for a way to have the vpp ipsec stack talk with an
ubuntu/strongswan/svti tunnel. The key characteristics are that the
policies use 0.0.0.0/0 for both source and destination, and traffic is sent
down tunnels using a 'mark' instead which is specified per-connection in
strongswan. Here is an example of how this looks in xfrm policy on a stock
linux box:
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 3075
mark 1/0xffffffff
tmpl src 4.5.6.7 dst 1.2.3.4
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3075
mark 1/0xffffffff
tmpl src 1.2.3.4 dst 4.5.6.7
proto esp reqid 1 mode tunnel
The intent is to have a tunnel without additional encapsulation (like gre)
yet still support a virtual numbered interface and dynamic networks on both
sides and so not having to specify each subnet.
Is there a plan to support this, or some other way to do this in vpp such
that it will interoperate with VTIs?
--Doug
