This adds support for XFRM interfaces, which replace VTI devices and are
available with 4.19+ Linux kernels.
IPsec SAs and policies are associated with such interfaces via interface
IDs that can be configured on the CHILD_SA-level (dynamic IDs may
optionally be allocated for each instance and even direction) or on the
IKE_SA-level (again, dynamic IDs may be optionally allocated per IKE_SA).
IDs on an IKE_SA are inherited by all CHILD_SAs created under it, unless
the child configuration overrides them.
The effect the interface ID has on policies is similar to that of marks,
i.e. they won't match packets unless they are routed via interface with
matching interface ID. So it's possible to negotiate e.g. 0.0.0.0/0 as
traffic selector on both sides and then control the affected traffic via
routes/firewall.
It's possible to use separate interfaces for in- and outbound traffic (or
only use an interface in one direction and regular policies in the other).
Since iproute2 does not yet support XFRM interfaces, a small utility is
provided that allows creating and listing XFRM interfaces.
Interfaces may be created dynamically via updown/vici scripts or
statically (before or after establishing the SAs). Routes must be added
manually as needed (the daemon will not install any routes for outbound
policies with an interface ID).
When moving XFRM interfaces to other network namespaces they retain access
to the SAs and policies created in the original namespace, which allows
providing IPsec tunnels for processes in other network namespaces without
giving them access to the IPsec keys or IKE credentials.
projects / thirdparty / strongswan.git / commit
