Hi, I am looking for a way to have the vpp ipsec stack talk with an ubuntu/strongswan/svti tunnel. The key characteristics are that the policies use 0.0.0.0/0 for both source and destination, and traffic is sent down tunnels using a 'mark' instead which is specified per-connection in strongswan. Here is an example of how this looks in xfrm policy on a stock linux box:
src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 3075 mark 1/0xffffffff tmpl src 4.5.6.7 dst 1.2.3.4 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 3075 mark 1/0xffffffff tmpl src 1.2.3.4 dst 4.5.6.7 proto esp reqid 1 mode tunnel The intent is to have a tunnel without additional encapsulation (like gre) yet still support a virtual numbered interface and dynamic networks on both sides and so not having to specify each subnet. Is there a plan to support this, or some other way to do this in vpp such that it will interoperate with VTIs? --Doug