[Swan-dev] quagga/nhrp integration to libreswan

Paul Wouters paul at nohats.ca
Tue Apr 5 19:50:28 UTC 2016

On Tue, 5 Apr 2016, Timo Teras wrote:

> quagga master tree soon (and also opennhrp [2] - the earlier
> implementation of nhrp with racoon). I also worked on the Linux kernel
> IPsec/GRE drivers to make NBMA mode work.
> All of this implement NHRP protocol which along with NBMA GRE-tunnels
> and IPsec can be used to implement Cisco DMVPN [3].

That's great!

> 1. Initiate IKE+CHILD SA of specific connection to specific host. That
> is nhrp provides the connection name, and left/right IP-addresses
> (roughly equivalent of kernel sent acquire).
> 2. Terminate all SAs given the connection name, and IP-addresses.

That can be done with whack (see below)

> 3. Get information of IKE SA authentications (preferably including the
> DER certificate if using x509). This information is sent to optional
> nhrp triggers for authentication (e.g. to verify gre ip-addresses
> against the certificate before allowing their registration).

That is something we will have to add. Can you explain in a little more
details what you need.

> 4. Get information of CHILD SAs. The idea is that nhrp can then flush
> all nhrp mappings when last CHILD SA expires (or is killed by DPD).

so we have ipsec whack --trafficstatus but I guess you want a listing
of "conn-name source/mask <-> dest/mask" ? If there are many like you
suggest, would you want to ask pluto based on a conn name or a prefix?

> It seems that this is almost possible by means of whack and updown
> scripts. However, this would mean a lot of fork+exec on busy nodes (100
> to 10.000 active tunnels). Also the whack abi seems to be unstable, so
> in practice I'd need to exec the whack utility to do the work.
> So I'm wondering if there would be interest to get a more stable api to
> control libreswan supporting (at least) the above three features.
> Ideally, it'd be single unix socket connection that is event based
> (asynchronous) and accepts initiate/terminate requests and provides the
> ike/child sa notifications (+ sa db synchronization on connect in case
> nhrpd is restarted).

Whack in the end is also a simple socket, and you could implement whack
in your app so you can just use a socket. But perhaps we need to give
you a separate socket so there is no risk of accidentally blocking.

Thanks for reaching out to us, and let's keep the conversation going
to make this work with libreswan.


More information about the Swan-dev mailing list