Nested IPsec tunnels
#1442
Replies: 1 comment 1 reply
-
On Mon, 4 Dec 2023, clbouvier wrote:
I failed to find any information about the nested IPsec tunnels with libreswan.
An use case would be a first tunnel created between a roadwarrior machine and a first remote gateway (machine certificate)
The roadwarrior user (inside its desktop session) might create a second tunnel (on demand inside the first one) to another gateway (inside the network
behind the first gateway) with an user authentication (user certificate for instance)
I could summarize with this diagram:
User session ---- laptop ---- gw1 ---- gw2 --- ...
<==Tunnel==>
<===========Tunnel===========>
This should be transparent, with no special handling needed, provided
all parties do proper path MTU discovery and not blackhole ICMP.
eg the user session machine connecting to gw2 does not need to know that
the laptop itself is using a tunnel.
Although I think perhaps you mean the laptop has two tunnels. One where
it gets some IP working and then the 2nd tunnel to use that IP. In which
case if the IP is auto configured you might need to issue an "ipsec
whack --listen" to get pluto to listen on the newly obtained IP.
|
Beta Was this translation helpful? Give feedback.
1 reply
Answer selected by
clbouvier
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I failed to find any information about the nested IPsec tunnels with libreswan.
An use case would be a first tunnel created between a roadwarrior machine and a first remote gateway (machine certificate)
The roadwarrior user (inside its desktop session) might create a second tunnel (on demand inside the first one) to another gateway (inside the network behind the first gateway) with an user authentication (user certificate for instance)
I could summarize with this diagram:
I can find some notes about the IPsec nesting on another opensource IKEv2 implementation with some limitations (bypass policies on IKE traffic, etc..)
I suppose that there are similar limitations with libreswan but I would prefer to ask for insights before digging more on this kind of configuration. Is it the case?
Thank you.
Beta Was this translation helpful? Give feedback.
All reactions