Hello!

Can't understand, why ipsec-tools did not work with interfaces.

Imagine this network:

1.1.1.0/24-------------------------\
8.0.0.0/24-------------------------  \
192.168.0.0/16-----------------    \
172.16.0.0/24-------------------     \   -----1.1.1.0/24----[.1___router1___.1]----2.2.2.0/30----[2___router2___.1]----3.3.3.0/24-----other_networks_and_internet
10.10.0.0/16---------------------     /
10.3.0.0/20-----------------------   /
......---------------------------------- /
totaly about 30 networks-----/
all networks are stub


2.2.2.0/30 - leased line, but I must encrypt all traffic between router1 and router2.

I'ts easy when all stub networks talk with remote networks, that's rules to encrypt on router1:

spdadd 1.1.1.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/2.2.2.1-2.2.2.2/require;
spdadd 0.0.0.0/0 1.1.1.0/24 any -P in ipsec esp/tunnel//2.2.2.2-2.2.2.1/require;
and other 29 networks - total 60 rules.


But those networks can't communicate with each others networks via router1. To resolve this I have to make rules like this:

spdadd 1.1.1.0/24 8.0.0.0/24 any -P in none;
spdadd 1.1.1.0/24 8.0.0.0/24 any -P out none;
spdadd 8.0.0.0/24 1.1.1.0/24 any -P in none;
spdadd 8.0.0.0/24 1.1.1.0/24 any -P out none;

this rules must be first rules.


That's 4 additional rules for 2 networks.

for 30 networks it's 2*(29+28+27...+2)=868 rules total

That's pretty dirty...

It can be much better if spdadd rules can handle interface.

like router1 interface eth0 with 2.2.2.1

spdadd 1.1.1.0/24 0.0.0.0/0 any -P out via eth0 ipsec esp/tunnel/2.2.2.1-2.2.2.2/require;
spdadd 0.0.0.0/0 1.1.1.0/24 any -P in via eth0 ipsec esp/tunnel//2.2.2.2-2.2.2.1/require;

So I do not need to make "-P in none" policies.

I know that I can make it much better making gre tunnel between router1 and router2 and in policy just make 2 rules:

spdadd 2.2.2.1 2.2.2.2 any -P out ipsec esp/transport//require;
spdadd 2.2.2.2 2.2.2.1 any -P in ipsec esp/transport///require;

And make routing work to move packets via gre tunnel.
Yeah, it's better.
But in cisco it's not required, I just configure cryptomap on interface, so others interfaces just excluded from ipsec policy checks.

What you think about it?