[Swan-dev] expirimental : ipsec device/interface aka XFRMi
antony at phenome.org
Thu Dec 5 06:38:23 UTC 2019
Here is an update from my side. I rebased the branch. It seems to pass test
cases, console output need fixing due to changes master.
I briefly saw on Paul's laptop xfrmi did not work for him. I tried to
reproduce it no luck so far. May be something to do with WiFi and other
interfaces? I need more details for this case.
the keyword parsing at them moment is a bit odd.
ipsec-interface=yes|no|<n in hex>
It would be nice to allow decimal numbers. On the other hand we can probably
start with hex:) and fix it soon.
If you have specific use cases that need routed vpn please test and give
I am not confident to merge to master. The updown script need more testing.
On Mon, Nov 04, 2019 at 01:24:46PM +0100, Antony Antony wrote:
> Initial support for ipsec device for Libreswan using Linux XFRMi. The
> kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or
> later kernel and the matching header files to compile this branch.
> Please test it if you can, also it would be great to receive feedback on
> this development branch.
> Hopefully it would get merged into libresan 3.30 or 3.31.
> To get the source code #xfrmi
> git clone -b xfrmi https://github.com/antonyantony/libreswan
> more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The
> configuration and keyword is likely change. Now it is
> "ipsec-interface=yes", "yes|no|<n>" option.
> I am also hopping to make this work for advanced route based VPN use cases.
> That may need changes to pluto's idea route, back in the days "route" was
> destination only. Currently with iproute2 we can do more advanced things
> such as source and destination based routing.
> Anyone using systemd-networkd here? I think it can support xfrm type device.
> Let me know if you can test systemd-networkd support. Also OpenWRT is known
> to have xfrm device support.
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
More information about the Swan-dev