mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-06 00:00:47 -04:00
760d7c9b4f
The network namespace scenario requires a kernel patch in 4.19 and 4.20 kernels (the fix is included in 5.0 kernels).
18 lines
980 B
Plaintext
18 lines
980 B
Plaintext
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
|
|
is set up using XFRM interfaces.
|
|
<p/>
|
|
The gateways use <b>route-based forwarding</b> with <b>XFRM interfaces</b>, with
|
|
firewall rules to allow traffic to pass. The IPsec traffic selector used is
|
|
0.0.0.0/0, however, specific routing is achieved with routes on the XFRM
|
|
interfaces. The IKE daemon does not install routes for CHILD_SAs with outbound
|
|
interface ID, so static routes are installed for the target subnets.
|
|
<p/>
|
|
Both gateways use separate interfaces for in- and outbound traffic (which is
|
|
completely optional and mainly for testing purposes, a single interface will
|
|
usually be enough). Gateway <b>moon</b> creates them before initiating the
|
|
connection, while gateway <b>sun</b> dynamically creates the interfaces via
|
|
updown script using the passed unique generated interface IDs.
|
|
<p/>
|
|
Client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located
|
|
behind gateway <b>sun</b>.
|