ipsec-tools: create a TUN interface for internal network.
Assume that the interface with default route is eth0. There are at
least three different ways to setup internal network.
1. Set internal IP and routes with default gateway on eth0:1.
2. Add a host route on eth0. Set internal IP and direct routes on eth0:1.
3. Add a host route on eth0. Set internal IP and direct routes on tun0.
SPD is set to send all packets from internel IP through the tunnel. Packets
are encapsulated and the final destination is always the VPN server. The
kernel will re-route the packets after re-writing them.
In the first method, the kernel always gets the default gateway as all the
routing rules are added with it. In the second method, internal routes do
not need a gateway since packets will hit the host route after re-routing.
The third method pushes even further since packet will never reach tun0.
In Android, we use the third method for two reasons, easier to clean up
and monitor. The first method has the advantage of not using a host route.
However, it cannot be cleaned up by simply shutting down eth0:1 because
routing rules might stay. The other methods do not have this problem. They
need to handle the host route, but that is much easier. When racoon dies,
tun0 goes away and posts an netlink event, but eth0:1 does not. Therefore,
the third method is much easier to monitor since it gives us the same
behavior with other VPN types.
Change-Id: I0a6eeef471b5a64de39a907f4f4428e86c0b2484
2 files changed
