Thank you for your response Brady and pointing this ip link option. I wasn’t
aware of this.
However I am trying to figure out a simplified way in our deployment to do this
for nm controlled interfaces. This is pretty interesting, but I am unable to
get this to work yet
* Docs say and refer to phys_dev
ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
[ external ]
Can it be done on top of SRIOV VFs?
* I tried it using if_id creating ipsclre0 over existing interface called
clre0, though I haven’t yet assigned policies and tested it
ipsclre0@clre0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group
default qlen 1000
link/none
inet 10.106.2.43/24 scope global ipsclre0
I use the Nic with hardware offloads – Has it been tested with hardware
offloads or supposed to work?
Thanks
Mamta
From: Brady Johnson <[email protected]>
Date: Thursday, December 12, 2024 at 1:30 AM
To: Mamta Gambhir <[email protected]>
Cc: [email protected] <[email protected]>
Subject: [External] : Re: [Swan] ipsec preconfiguration
Mamta,
If you want to use an XFRM interface for a tunnel, that interface can either be
created internally by Pluto (Libreswan) or it can be created beforehand. Im not
sure how to do it with the Network Manager, but I can tell you how to do it
with an 'ip link' command.
Here [0] is a reference man page explaining all of the details, just search for
xfrm.
This is the command syntax to create an xfrm link:
ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ] [ external ]
dev PHYS_DEV - specifies the underlying physical
interface from which transform traffic is sent and
received.
if_id IF-ID - specifies the hexadecimal lookup key
used to send traffic to and from specific xfrm
policies. Policies must be configured with the
same key. If not set, the key defaults to 0 and
will match any policies which similarly do not
have a lookup key configuration.
external - make this device externally controlled.
This flag is mutually exclusive with the dev and
if_id options.
Then, you can either let Libreswan manage the IPs on that interface, or add
them with either 'ip address' or nmcli commands.
If the XFRM interface is created by Libreswan, then it will use reference
counting and only delete the interface when no other tunnels are using the
interface. Likewise with the IP address for that interface, Libreswan will use
reference counting and only delete the IP address when no other tunnels are
using it. If the XFRM interface and/or IP address on that interface are created
outside of Libreswan, then you are responsible for not deleting them if they
are being used.
[0]
https://man7.org/linux/man-pages/man8/ip-link.8.html<https://urldefense.com/v3/__https:/man7.org/linux/man-pages/man8/ip-link.8.html__;!!ACWV5N9M2RV99hQ!OH8feFuwJTwPGg6k9jLPUj8Ew1OLRG0RFfqYtx6IMjiR2J88zIYZYHKEyvpqotpoxY3i2lf5e8boDgec2zXf$>
Regards,
Brady Johnson
Principal Software Engineer
Telco Verification Ecosystems Engineering
[email protected]<mailto:[email protected]>
On Thu, Dec 12, 2024 at 3:50 AM Mamta Gambhir via Swan
<[email protected]<mailto:[email protected]>> wrote:
Per the docs at
https://libreswan.org/man/ipsec.conf.5.html<https://urldefense.com/v3/__https:/libreswan.org/man/ipsec.conf.5.html__;!!ACWV5N9M2RV99hQ!OH8feFuwJTwPGg6k9jLPUj8Ew1OLRG0RFfqYtx6IMjiR2J88zIYZYHKEyvpqotpoxY3i2lf5e8boDl7B8gzz$>
It mentions –
.ipsec-interface
On Linux, XFRMi interfaces can be managed by libreswan automatically or can be
preconfigured on the system using the existing init system or via networking
tools such as systemd-networkd and NetworkManager. The _updown script handles
certain Linux specific interfaces settings required for proper functioning,
such as forwarding and routing rules for IPsec traffic.
What does it mean that they can be preconfigured via metwork manager? Is there
any docs how to do ipsec configuration using nmcli/network manager.
Does that mean one won’t need the /etc/ipsec.d/.conf files per ip interface as
is done for when ipsec is enabled using libreswan?
Could someone please shed any light or point me to docs or an info?
Thanks
Mamta
_______________________________________________
Swan mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]
