[Swan-dev] quagga/nhrp integration to libreswan

Timo Teras timo.teras at iki.fi
Tue Apr 5 18:46:35 UTC 2016

Hi all,

I am the author of Quagga/NHRP [1] module which is due to be merged to
quagga master tree soon (and also opennhrp [2] - the earlier
implementation of nhrp with racoon). I also worked on the Linux kernel
IPsec/GRE drivers to make NBMA mode work.

All of this implement NHRP protocol which along with NBMA GRE-tunnels
and IPsec can be used to implement Cisco DMVPN [3].

The current Quagga/NHRP code works with strongSwan, but I am now looking
into implementing similar integration with libreswan.

Basically I would need a way to:

1. Initiate IKE+CHILD SA of specific connection to specific host. That
is nhrp provides the connection name, and left/right IP-addresses
(roughly equivalent of kernel sent acquire).

2. Terminate all SAs given the connection name, and IP-addresses.

3. Get information of IKE SA authentications (preferably including the
DER certificate if using x509). This information is sent to optional
nhrp triggers for authentication (e.g. to verify gre ip-addresses
against the certificate before allowing their registration).

4. Get information of CHILD SAs. The idea is that nhrp can then flush
all nhrp mappings when last CHILD SA expires (or is killed by DPD).

It seems that this is almost possible by means of whack and updown
scripts. However, this would mean a lot of fork+exec on busy nodes (100
to 10.000 active tunnels). Also the whack abi seems to be unstable, so
in practice I'd need to exec the whack utility to do the work.

So I'm wondering if there would be interest to get a more stable api to
control libreswan supporting (at least) the above three features.
Ideally, it'd be single unix socket connection that is event based
(asynchronous) and accepts initiate/terminate requests and provides the
ike/child sa notifications (+ sa db synchronization on connect in case
nhrpd is restarted).



[1] http://git.alpinelinux.org/cgit/user/tteras/quagga/?h=nhrp
[2] https://sourceforge.net/projects/opennhrp/
[3] http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf

More information about the Swan-dev mailing list