<div dir="ltr">Thanks Paul,<div><br><div>I'm well aware to the advantages of using SA (and totally agree that its better) per subnet pair put I can't change my customer specification (it's given on their side), so </div><div><br></div><div>I'm still looking for a technique that will let me support multiple of those SA per GW connection to multiple different CP VPN GWs</div></div><div><br></div><div>If manually changing xfrm policy is not the right way, than I'm left with classification via the connection configuration - is there an option to classify traffic using a "mark"?</div><div><br></div><div>As far as I tested, xfrm policies support the mark option - this will allow me to "mark" traffic using iptables which will let me send the outgoing traffic via the right tunnel</div><div>(connection1 will fwd traffic marked with 1, connection2 will fwd traffic marked 2...etc)</div><div><br></div><div>Any thoughts?</div><div><br></div><div>Amir</div><div><br></div><div> </div><div><br></div><div> </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(0,0,0)"><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><b><font color="#000000"><span>Amir</span> Naftali</font></b> | <b><font face="arial, helvetica, sans-serif"><font color="#0000ff">CTO and Co-Founder</font> | </font>+972 54 497 2622</b></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><br></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><a href="http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig" style="color:rgb(0,0,255);font-family:'Courier New';font-size:14px;line-height:21px" target="_blank"><img align="none" height="37" src="https://gallery.mailchimp.com/805c65e3dbe647f677fe8ee38/images/bde29e88-9385-4f4b-ae97-60c704de1547.png" width="200" alt="" style="width:200px;min-height:37px;margin:0px"></a><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Oct 29, 2015 at 11:46 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, 29 Oct 2015, Amir Naftali wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That might do for the simple case but my Libreswan based VPN server is aggregating many such connections<br>
including connection where SAs are negotiated per subnet pairs <br>
</blockquote>
<br></span>
Well, "routing based VPNs" are not the best choice. It is much more<br>
secure and easier to configure "policy based VPNs". That is where you<br>
specifically define the traffic allowed to pass using leftsubnet= and<br>
rightsubnet=.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Please note that the wildcard negotiation is just a technical requirement - I'm not really looking to<br>
install a wildcard xfrm policies. The installed policy will have a src/dst subnets blocks allocated to<br>
them.<br>
<br>
Basically I'm still looking for a way to take control over xfrm policies instrumentation using the<br>
leftupdown option in the connection configuration and the issue I described (partial xfrm policy<br>
instrumentation during re-key) is the only thing that prevents me from being able to do so.<br>
<br>
Is there a way to tell a connection not to install xfrm policies at all or is there a way to prevent form<br>
libreswan to install the partial xfrm "out" policy during re-key?<br>
</blockquote>
<br></span>
You should never manually modify the xfrm tables outside the running IKE<br>
daemon. The IKE daemon is not aware of your manual tweaks and it could<br>
lead to mismatched policies, unexpected state and packet leaks.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>