[Swan-dev] [OpenWrt-Devel] [PATCH v3 2/3] network/config: add xfrm interface support scripts]

Antony Antony antony at phenome.org
Wed Jun 12 15:25:14 UTC 2019

On Tue, Jun 11, 2019 at 06:18:26PM -0400, Paul Wouters wrote:
> On Tue, 11 Jun 2019, Antony Antony wrote:
> > XFRMi seems to be picking up fast. A proposed patch to OpenWRT network
> > scripts would add support for an xfrm device. I guess we/Libreswan should
> > merge our branch soon!
> Cool. What is preventing the branch from being merged right now?

waiting on testing and agreeing on what features to implement/support 
initially. I am not up for X-mas lights, enabling lots of features, and 
complicated features without a written use case and testing. Also when I 
mentioned the idea xfrmi interfaces should be maintained by systemd-networkd 
or NetworkManager, I didn't notice response. Now it is quite clear OpenWRT + 
strongswan is likely going that way. Also need to rebase to 3.28, current 

> > OpenWRT patch proposal suggest the whole interface creation and its
> > lifecycle could be managed by system network scripts.
> > I imagine on Debian/Fedora systemd-networkd would get similar support soon.
> > Or may be NetworkManager. I am not sure.
> I think it is certainly something we want to support. If a connection is
> configured with mark=, and something else creates the interface, are we
> still expected to change the routing too?
> > Note they also planned to add ip address there. I wonder how this would work
> > in various cases, road warrior, or BGP/routing protocol situations.
> I guess it would only work for the static IP cases? Which seems to be
> the more likely case for openwrt anyway?
> > This package adds scripts for xfrm interfaces support.
> > Example configuration via /etc/config/network:
> > 
> > config interface 'xfrm0'
> >        option proto 'xfrm'
> >        option mtu '1300'
> >        option zone 'VPN'
> >        option tunlink 'wan'
> >        option ifid 30
> Ok so that would pre-create the interface. But if they already route
> into it without ipsec running, packets would be lost. That could be a
> bug or a feature, depending on your view.
> > config interface 'xfrm0_static'
> >        option proto 'static'
> >        option ifname '@xfrm0'
> >        option ip6addr 'fe80::1/64'
> >        option ipaddr ''
> I guess _static is a generic way to configure an interface? Kind of odd
> it needs a seperate section.
> > Now set in strongswan IPsec policy:
> > 	if_id_in = 30
> > 	if_id_out = 30
> right, which for us would be mark=30/0xffffffff

Why would you, as IPsec admin, want to configure the mark for xfrm 
interface? and which mark is this? there are atleast 2 marks in the kernel 
now, related to xfrm. The current config options are setting a mark which is 
not used xfrm code path.

User setting mark is only for a very advanced user cases.  Where they have 
multiple up links and linux reply with different src address than the 
destination address. Some users may argue that is the most common case for 
route based vpn. Well in that case Libreswan test coverage and design are 
not up to the task. Likely the users have secret sauce to make it work.

I have a feeling you are confusing XFRMi with VTI settings. Simple xfrm 
interface use case do not need user configuring mark. If you need it is not 
the currently configurable marks in Libreswan. It is the recently, 2018, 
introduced OUTPUT_MARK for routing ESP packets. So be careful when 
mentioning mark. xfrmi use "if_id"  not marks for simple cases. Even for the 
cases  as 0/0 - 0/0, or host-to-host,(/32 to - /32) xfrm would set 
OUTPUT_MARK mark for routing the esp packet. That does not need to 
configured. And the suggested complicated case need OUTPUT_MARK and mask.

> (we should support mark's without mask, but our parser doesn't like to
>  get only numbers for a string) 

again  I am not sure. the advanced use cas as I understand need user 
configurable mask 0xfffff won't work. XFRM developers also initially 
thought mask was unnecessary and they had to add lot kludge to add mark later 
on and keep supporting without mask, because it was released.

More information about the Swan-dev mailing list