Mamta,
If you want to use an XFRM interface for a tunnel, that interface can
either be created internally by Pluto (Libreswan) or it can be created
beforehand. Im not sure how to do it with the Network Manager, but I can
tell you how to do it with an 'ip link' command.
Here [0] is a reference man page explaining all of the details, just search
for xfrm.
This is the command syntax to create an xfrm link:
ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ] [ external ]
dev PHYS_DEV - specifies the underlying physical
interface from which transform traffic is sent and
received.
if_id IF-ID - specifies the hexadecimal lookup key
used to send traffic to and from specific xfrm
policies. Policies must be configured with the
same key. If not set, the key defaults to 0 and
will match any policies which similarly do not
have a lookup key configuration.
external - make this device externally controlled.
This flag is mutually exclusive with the dev and
if_id options.
Then, you can either let Libreswan manage the IPs on that interface, or add
them with either 'ip address' or nmcli commands.
If the XFRM interface is created by Libreswan, then it will use reference
counting and only delete the interface when no other tunnels are using the
interface. Likewise with the IP address for that interface, Libreswan will
use reference counting and only delete the IP address when no other tunnels
are using it. If the XFRM interface and/or IP address on that interface are
created outside of Libreswan, then you are responsible for not deleting
them if they are being used.
[0] https://man7.org/linux/man-pages/man8/ip-link.8.html
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Verification Ecosystems Engineering
[email protected]
On Thu, Dec 12, 2024 at 3:50 AM Mamta Gambhir via Swan <
[email protected]> wrote:
> Per the docs at https://libreswan.org/man/ipsec.conf.5.html
>
>
>
> It mentions –
>
> .ipsec-interface
> On Linux, XFRMi interfaces can be managed by libreswan automatically or can
> be preconfigured on the system using the existing init system or via
> networking tools such as systemd-networkd and NetworkManager. The _updown
> script handles certain Linux specific interfaces settings required for
> proper functioning, such as forwarding and routing rules for IPsec traffic.
>
>
>
> What does it mean that they can be preconfigured via metwork manager? Is
> there any docs how to do ipsec configuration using nmcli/network manager.
> Does that mean one won’t need the /etc/ipsec.d/.conf files per ip
> interface as is done for when ipsec is enabled using libreswan?
>
>
>
> Could someone please shed any light or point me to docs or an info?
>
>
>
> Thanks
>
> Mamta
> _______________________________________________
> Swan mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
