[Swan] Interworking with Cisco VTI model (any-to-any tunnel, selected routing)
paul at nohats.ca
Thu Dec 3 16:30:00 UTC 2015
On Thu, 3 Dec 2015, Sébastien Lefevre wrote:
> Marking is indeed useful here to ensure that default packets are not matching the policy, which was my initial problem.
> In my updown, instead of marking packets with mangle, I still use my old approach of setting narrower policies:
Ahh I see. Of course manually adding/removing XFRM rules is not
recommended because pluto is not aware of those and it keeps its
on list of what it thinks is in the kernel.
> In our VPN concentrator model, we expose a single private IP address specific to each tunnel. So based on this specific IP, we can select the tunnel to use.
> This approach does not block packets if the VPN is not up (they'll be routed through the default gateway), so this is still far from perfect.
So your use case would be fixed with leftpolicynets=a.b.c.d/32 and rightpolicynets=0.0.0.0/0
More information about the Swan