[Swan-dev] expirimental : ipsec device/interface aka XFRMi

Wed Jan 22 07:00:37 UTC 2020

xfrmi branch got a bit more testing on OpenWRT without NAT cases and rebased 
to current master.
thanks to Paul and @lucize on github for testing.

testing was focused on road warrior setup and OpenWRT peer-to-peer setup.  
@lucize brought up one issue.
https://github.com/libreswan/libreswan/issues/278#issuecomment-568001203
It is bit complex issue related routed vpn and 0/0 - 0/0 tunnels
and adding routes dynamically.
At this moment I think it is possibly a kernel-xfrm issue than a Libreswan 
only issue. However note this is something that works on VTI and not on 
xfrmi.

this morning in a testrun I noticed a bunch of coredump from addcon
https://swantest.libreswan.fi/s2/v3.28-1487-g3d33747478-testrun-xfrmi/
I will investigate addcon crash today. 

There is on unexpected Netlink error I put in hack. I need to look at it 
further, possibly after merge to master.

current configuration option is 
 ipsec-interface=no|yes|<n> where n = 1..UINT32_MAX

Note 0x is necessary.

IPv6 and xfrmi may not work in all cases. ipv6 up-down script need more 
work.

My plan resolve addconn issue is, a new testrun. If there are no major 
issues I will merge.

regards,
-antony

On Thu, Dec 05, 2019 at 07:38:23AM +0100, Antony Antony wrote:
> Here is an update from my side.  I rebased the branch. It seems to pass test 
> cases, console output need fixing due to changes master.
> 
> I briefly saw on Paul's laptop xfrmi did not work for him. I tried to 
> reproduce it no luck so far.  May be something to do with WiFi and other 
> interfaces? I need more details for this case.
> 
> the keyword parsing at them moment is a bit odd.
> ipsec-interface=yes|no|<n in hex>
> It would be nice to allow decimal numbers. On the other hand we can probably 
> start with hex:) and fix it soon.
> 
> If you have specific use cases that need routed vpn please test and give 
> feed back.
> 
> I am not confident to merge to master. The updown script need more testing.
> 
> -antony
> 
> test run:
> PS https://swantest.libreswan.fi/s2/v3.28-1263-gc1acc431aa-xfrmi-tesrun/
> 
> On Mon, Nov 04, 2019 at 01:24:46PM +0100, Antony Antony wrote:
> > Initial support for ipsec device for Libreswan using Linux XFRMi.  The 
> > kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or 
> > later kernel and the matching header files to compile this branch.
> > 
> > Please test it if you can, also it would be great to receive feedback on  
> > this development branch.
> > 
> > Hopefully it would get merged into libresan 3.30 or 3.31.
> > 
> > To get the source code #xfrmi
> > git clone -b xfrmi https://github.com/antonyantony/libreswan
> > 
> > more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The 
> > configuration and keyword is likely change. Now it is 
> > 
> > "ipsec-interface=yes", "yes|no|<n>" option. 
> > 
> > I am also hopping to make this work for advanced route based VPN use cases.
> > That may need changes to pluto's idea route, back in the days "route" was 
> > destination only. Currently with iproute2 we can do more advanced things 
> > such as source and destination based routing.
> > 
> > Anyone using systemd-networkd here? I think it can support xfrm type device.  
> > Let me know if you can test systemd-networkd support. Also OpenWRT is known 
> > to have xfrm device support.
> > 
> > regards,
> > -antony
> > _______________________________________________
> > Swan-dev mailing list
> > Swan-dev at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan-dev