[Swan-dev] expirimental : ipsec device/interface aka XFRMi

Antony Antony antony at phenome.org
Mon Nov 4 12:24:46 UTC 2019

Initial support for ipsec device for Libreswan using Linux XFRMi.  The 
kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or 
later kernel and the matching header files to compile this branch.

Please test it if you can, also it would be great to receive feedback on  
this development branch.

Hopefully it would get merged into libresan 3.30 or 3.31.

To get the source code #xfrmi
git clone -b xfrmi https://github.com/antonyantony/libreswan

more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The 
configuration and keyword is likely change. Now it is 

"ipsec-interface=yes", "yes|no|<n>" option. 

I am also hopping to make this work for advanced route based VPN use cases.
That may need changes to pluto's idea route, back in the days "route" was 
destination only. Currently with iproute2 we can do more advanced things 
such as source and destination based routing.

Anyone using systemd-networkd here? I think it can support xfrm type device.  
Let me know if you can test systemd-networkd support. Also OpenWRT is known 
to have xfrm device support.


More information about the Swan-dev mailing list