Hello List,
I am asking if there is a way to bind charon to specific interfaces, as
apparently the "interfaces_use" option in charon.conf only makes charon
ignore arriving packets on other intefaces, not actually binding to them.
My background asking this is as I am working with VRFs and the docs
about Route-based VPNs mentioning XFRM interfaces can be bound to VRF
master interfaces but charon itself apparently not:
XFRM interfaces can be associated to a VRF layer 3 master
device, so any tunnel terminated by an XFRM interface implicitly is
bound to that VRF domain. For example, this allows multi-tenancy setups
where traffic from different tunnels can be separated and routed over
different interfaces.
So configuring interfaces_use to the VRF master device of one dummy
interface bound to a VRF makes charon still listen to "0.0.0.0/0" &
"::/0" in the main VRF. For being able to receive ISAKMP packets in a
VRF now I have to use the "l3mdev hack" and set
"net.ipv4.udp_l3mdev_accept" to 1 as every VRF has a default unreachable
route with a high metric in it as I'd like to avoid having to leak
routes into the main VRF.
Kind regards,
Marcel Menzel
