Use side-band to configure strongswan's
Is it possible to use different ifname (say eth0) for swan's negotiation
when configuring actually another ifname (say eth1) for transport
#2 Updated by Amir Yungman 12 months ago
Yes. Something called side-band.
I am working on offloading, but the question is general for any configuration.
Assume we have HOST1-2-HOST2 and we would like to configure transport between them on eth0-eth0 let say 192.168.100.1 .. 192.168.100.2
Now, the protocol (negotiate, IKE, etc) between the two HOST's is running on those IP in order to configure that transport channel. That's fine.
What I'm asking is if its possible to use other interface for config negotiation?
for example assume HOST1-HOST2 communicate also through 10.79.1.1 .. 10.78.1.2
and they negotiate there in order to secure the 192.168.100.1 <-> 192.168.100.2
#3 Updated by Tobias Brunner 12 months ago
If you are asking if it's possible to protect other IP addresses than those used for IKE, sure (maybe also look into beet mode). If you actually want to send ESP packets from different IPs than IKE packets, then usually not, i.e. the addresses in the negotiated IPsec SAs will be the same as those in the IKE SAs. However, there is a special mode called transport_proxy, which perhaps could be used for that (intended for MIPv6), I've no experience with it, though. Also note that hardware offloading enabled via hw_offload is currently configured on the interface on which the IPsec SA's local IP address is found.