[Swan-dev] expirimental : ipsec device/interface aka XFRMi

Antony Antony antony at phenome.org
Thu Dec 5 06:38:23 UTC 2019 

Here is an update from my side.  I rebased the branch. It seems to pass test 
cases, console output need fixing due to changes master.

I briefly saw on Paul's laptop xfrmi did not work for him. I tried to 
reproduce it no luck so far.  May be something to do with WiFi and other 
interfaces? I need more details for this case.

the keyword parsing at them moment is a bit odd.
ipsec-interface=yes|no|<n in hex>
It would be nice to allow decimal numbers. On the other hand we can probably 
start with hex:) and fix it soon.

If you have specific use cases that need routed vpn please test and give 
feed back.

I am not confident to merge to master. The updown script need more testing.

-antony

test run:
PS https://swantest.libreswan.fi/s2/v3.28-1263-gc1acc431aa-xfrmi-tesrun/

On Mon, Nov 04, 2019 at 01:24:46PM +0100, Antony Antony wrote:
> Initial support for ipsec device for Libreswan using Linux XFRMi.  The 
> kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or 
> later kernel and the matching header files to compile this branch.
> 
> Please test it if you can, also it would be great to receive feedback on  
> this development branch.
> 
> Hopefully it would get merged into libresan 3.30 or 3.31.
> 
> To get the source code #xfrmi
> git clone -b xfrmi https://github.com/antonyantony/libreswan
> 
> more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The 
> configuration and keyword is likely change. Now it is 
> 
> "ipsec-interface=yes", "yes|no|<n>" option. 
> 
> I am also hopping to make this work for advanced route based VPN use cases.
> That may need changes to pluto's idea route, back in the days "route" was 
> destination only. Currently with iproute2 we can do more advanced things 
> such as source and destination based routing.
> 
> Anyone using systemd-networkd here? I think it can support xfrm type device.  
> Let me know if you can test systemd-networkd support. Also OpenWRT is known 
> to have xfrm device support.
> 
> regards,
> -antony
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list