Feature #2845

Support virtual XFRM interfaces added in 4.19

Added by Stijn Tintel about 2 months ago. Updated 2 days ago.

Target version:
Start date:
Due date:
Estimated time:


Would be nice if this can be supported in strongSwan.


#1 Updated by Roman Moschenski about 1 month ago

Stijn Tintel wrote:

Would be nice if this can be supported in strongSwan.

Would be great to have a strongswan support for this new kernel feature. If I understand that correctly, we have to extend add_policy_internal function ( of the kernel_netlink plugin by passing a XFRMA_IF_ID beside of XFRMA_TMPL. That would add an ID of our virtual interface to the corresponding XFRM policy in the kernel:
This feature could be a compile time flag to stay backwards compatible with older kernels or with kernels compiled with CONFIG_XFRM_INTERFACE=n

What do you think Tobias?

#2 Updated by Martin Willi about 1 month ago

I have some plans to add XFRM interfaces support to strongSwan. No code and no schedule yet, though.

I guess the technical details about installing policies tied to interfaces are rather clear.
From a configuration perspective, we probably want to configure a (shared?) XFRM interface per CHILD_SA.

The question is what are the use cases and who is responsible for creating these interfaces (externally or strongSwan):

  • One of my use cases is certainly layer 3 master devices, to bind specific tunnels to certain VRF domains
  • Another nice use case could be passing XFRM interfaces into network namespaces, so a host can provide secured links to its containers
  • Most users probably just want IPsec interfaces for simplified firewalling

#3 Updated by Markus Sattler 2 days ago

I created some basic patch to allow to set the XFRMA_IF_ID via config.

the PR can be found here:

Also available in: Atom PDF