| 123456789101112131415161718 |
- One connection with two CHILD_SAs between the hosts and subnet behind the
- gateways <b>moon</b> and <b>sun</b>, respectively, are set up using XFRM
- interfaces.
- <p/>
- The gateways use <b>route-based forwarding</b> with <b>XFRM interfaces</b>, with
- firewall rules to allow traffic to pass. Both peers use connection-defined
- interface IDs so all CHILD_SAs share the same XFRM interface. The IKE daemon
- does not install routes for CHILD_SAs with outbound interface ID, so routes for
- the target subnets are installed statically or via updown events.
- <p/>
- Both gateways use separate interfaces for in- and outbound traffic (which is
- completely optional and mainly for testing purposes, a single interface will
- usually be enough). Gateway <b>moon</b> creates them before initiating the
- connection, while gateway <b>sun</b> dynamically creates the interfaces via
- ike-updown event using the passed unique generated interface IDs.
- <p/>
- Clients <b>alice</b> and <b>venus</b> behind gateway <b>moon</b> ping client
- <b>bob</b> located behind gateway <b>sun</b>.
|
