Nested IPsec tunnels #1442

clbouvier · 2023-12-05T06:00:52Z

clbouvier
Dec 5, 2023

I failed to find any information about the nested IPsec tunnels with libreswan.

An use case would be a first tunnel created between a roadwarrior machine and a first remote gateway (machine certificate)
The roadwarrior user (inside its desktop session) might create a second tunnel (on demand inside the first one) to another gateway (inside the network behind the first gateway) with an user authentication (user certificate for instance)

I could summarize with this diagram:

User session ---- laptop ---- gw1 ---- gw2 --- ...
                    <==Tunnel==>
           <===========Tunnel===========>

I can find some notes about the IPsec nesting on another opensource IKEv2 implementation with some limitations (bypass policies on IKE traffic, etc..)
I suppose that there are similar limitations with libreswan but I would prefer to ask for insights before digging more on this kind of configuration. Is it the case?
Thank you.

Answered by letoams

Dec 5, 2023

On Mon, 4 Dec 2023, clbouvier wrote: I failed to find any information about the nested IPsec tunnels with libreswan. An use case would be a first tunnel created between a roadwarrior machine and a first remote gateway (machine certificate) The roadwarrior user (inside its desktop session) might create a second tunnel (on demand inside the first one) to another gateway (inside the network behind the first gateway) with an user authentication (user certificate for instance) I could summarize with this diagram: User session ---- laptop ---- gw1 ---- gw2 --- ... <==Tunnel==> <===========Tunnel===========>

This should be transparent, with no special handling needed, provided all parties do pro…

View full answer

letoams · 2023-12-05T13:57:30Z

letoams
Dec 5, 2023
Maintainer

On Mon, 4 Dec 2023, clbouvier wrote: I failed to find any information about the nested IPsec tunnels with libreswan. An use case would be a first tunnel created between a roadwarrior machine and a first remote gateway (machine certificate) The roadwarrior user (inside its desktop session) might create a second tunnel (on demand inside the first one) to another gateway (inside the network behind the first gateway) with an user authentication (user certificate for instance) I could summarize with this diagram: User session ---- laptop ---- gw1 ---- gw2 --- ... <==Tunnel==> <===========Tunnel===========>

This should be transparent, with no special handling needed, provided all parties do proper path MTU discovery and not blackhole ICMP. eg the user session machine connecting to gw2 does not need to know that the laptop itself is using a tunnel. Although I think perhaps you mean the laptop has two tunnels. One where it gets some IP working and then the 2nd tunnel to use that IP. In which case if the IP is auto configured you might need to issue an "ipsec whack --listen" to get pluto to listen on the newly obtained IP.

1 reply

clbouvier Dec 7, 2023
Author

Thank you.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Nested IPsec tunnels #1442

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Nested IPsec tunnels #1442

clbouvier Dec 5, 2023

Replies: 1 comment · 1 reply

letoams Dec 5, 2023 Maintainer

clbouvier Dec 7, 2023 Author

clbouvier
Dec 5, 2023

Replies: 1 comment 1 reply

letoams
Dec 5, 2023
Maintainer

clbouvier Dec 7, 2023
Author