farp Plugin

Purpose

The farp plugin for libcharon fakes ARP responses for requests to e.g. a virtual IP address to be assigned to a peer.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-farp

Behavior

With the plugin enabled the IKEv2 daemon responds to ARP requests for IP addresses in the remote traffic selectors (e.g. virtual IP addresses that were handed out to clients but could be complete subnets) with its own MAC address.

In combination with the dhcp plugin this plugin lets a road-warrior fully act as a client on the local LAN of the responder.

Limitations

Since strongSwan version 5.9.2 the plugin also works on Mac OSX and FreeBSD. That wasn’t the case for previous versions due to the implementation relying on AF/PF_PACKET sockets only. If you use such a version or don’t have the plugin available for other reasons, ARP proxying for virtual IP addresses an be achieved via the arp(8) utility and an updown script, e.g.

case $PLUTO_VERB in
        up-client)
        arp -s ${PLUTO_PEER_SOURCEIP4_1} auto pub
        ;;
        down-client)
        arp -d ${PLUTO_PEER_SOURCEIP4_1} pub
        ;;
esac