[Swan-dev] expirimental : ipsec device/interface aka XFRMi
Antony Antony
antony at phenome.org
Wed Jan 22 07:00:37 UTC 2020
xfrmi branch got a bit more testing on OpenWRT without NAT cases and rebased
to current master.
thanks to Paul and @lucize on github for testing.
testing was focused on road warrior setup and OpenWRT peer-to-peer setup.
@lucize brought up one issue.
https://github.com/libreswan/libreswan/issues/278#issuecomment-568001203
It is bit complex issue related routed vpn and 0/0 - 0/0 tunnels
and adding routes dynamically.
At this moment I think it is possibly a kernel-xfrm issue than a Libreswan
only issue. However note this is something that works on VTI and not on
xfrmi.
this morning in a testrun I noticed a bunch of coredump from addcon
https://swantest.libreswan.fi/s2/v3.28-1487-g3d33747478-testrun-xfrmi/
I will investigate addcon crash today.
There is on unexpected Netlink error I put in hack. I need to look at it
further, possibly after merge to master.
current configuration option is
ipsec-interface=no|yes|<n> where n = 1..UINT32_MAX
Note 0x is necessary.
IPv6 and xfrmi may not work in all cases. ipv6 up-down script need more
work.
My plan resolve addconn issue is, a new testrun. If there are no major
issues I will merge.
regards,
-antony
On Thu, Dec 05, 2019 at 07:38:23AM +0100, Antony Antony wrote:
> Here is an update from my side. I rebased the branch. It seems to pass test
> cases, console output need fixing due to changes master.
>
> I briefly saw on Paul's laptop xfrmi did not work for him. I tried to
> reproduce it no luck so far. May be something to do with WiFi and other
> interfaces? I need more details for this case.
>
> the keyword parsing at them moment is a bit odd.
> ipsec-interface=yes|no|<n in hex>
> It would be nice to allow decimal numbers. On the other hand we can probably
> start with hex:) and fix it soon.
>
> If you have specific use cases that need routed vpn please test and give
> feed back.
>
> I am not confident to merge to master. The updown script need more testing.
>
> -antony
>
> test run:
> PS https://swantest.libreswan.fi/s2/v3.28-1263-gc1acc431aa-xfrmi-tesrun/
>
> On Mon, Nov 04, 2019 at 01:24:46PM +0100, Antony Antony wrote:
> > Initial support for ipsec device for Libreswan using Linux XFRMi. The
> > kernel support was introduced in 4.19. E.g Fedora 30, or you need 4.19 or
> > later kernel and the matching header files to compile this branch.
> >
> > Please test it if you can, also it would be great to receive feedback on
> > this development branch.
> >
> > Hopefully it would get merged into libresan 3.30 or 3.31.
> >
> > To get the source code #xfrmi
> > git clone -b xfrmi https://github.com/antonyantony/libreswan
> >
> > more details about XFRMi https://libreswan.org/wiki/Route-based_XFRMi The
> > configuration and keyword is likely change. Now it is
> >
> > "ipsec-interface=yes", "yes|no|<n>" option.
> >
> > I am also hopping to make this work for advanced route based VPN use cases.
> > That may need changes to pluto's idea route, back in the days "route" was
> > destination only. Currently with iproute2 we can do more advanced things
> > such as source and destination based routing.
> >
> > Anyone using systemd-networkd here? I think it can support xfrm type device.
> > Let me know if you can test systemd-networkd support. Also OpenWRT is known
> > to have xfrm device support.
> >
> > regards,
> > -antony
> > _______________________________________________
> > Swan-dev mailing list
> > Swan-dev at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list