Project

General

Profile

Feature #2845

Support virtual XFRM interfaces added in 4.19

Added by Stijn Tintel about 2 months ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
30.11.2018
Due date:
Estimated time:
Resolution:

Description

See https://www.mail-archive.com/netdev@vger.kernel.org/msg239295.html
Would be nice if this can be supported in strongSwan.

History

#1 Updated by Roman Moschenski about 1 month ago

Stijn Tintel wrote:

See https://www.mail-archive.com/netdev@vger.kernel.org/msg239295.html
Would be nice if this can be supported in strongSwan.

Would be great to have a strongswan support for this new kernel feature. If I understand that correctly, we have to extend add_policy_internal function (https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c#L2669) of the kernel_netlink plugin by passing a XFRMA_IF_ID beside of XFRMA_TMPL. That would add an ID of our virtual interface to the corresponding XFRM policy in the kernel:
https://github.com/torvalds/linux/blob/master/net/xfrm/xfrm_user.c#L1620
This feature could be a compile time flag to stay backwards compatible with older kernels or with kernels compiled with CONFIG_XFRM_INTERFACE=n

What do you think Tobias?

#2 Updated by Martin Willi about 1 month ago

I have some plans to add XFRM interfaces support to strongSwan. No code and no schedule yet, though.

I guess the technical details about installing policies tied to interfaces are rather clear.
From a configuration perspective, we probably want to configure a (shared?) XFRM interface per CHILD_SA.

The question is what are the use cases and who is responsible for creating these interfaces (externally or strongSwan):

  • One of my use cases is certainly layer 3 master devices, to bind specific tunnels to certain VRF domains
  • Another nice use case could be passing XFRM interfaces into network namespaces, so a host can provide secured links to its containers
  • Most users probably just want IPsec interfaces for simplified firewalling

#3 Updated by Markus Sattler 2 days ago

I created some basic patch to allow to set the XFRMA_IF_ID via config.

the PR can be found here:
https://github.com/strongswan/strongswan/pull/122

Also available in: Atom PDF